Gap-3: Container Apps Operate (C → A) — Revisions, day-2 ops, networking#1637
Gap-3: Container Apps Operate (C → A) — Revisions, day-2 ops, networking#1637
Conversation
There was a problem hiding this comment.
Pull request overview
Adds operational reference documentation for Azure Container Apps covering revision management, day-2 operations, and networking/custom domains to support “operate (C → A)” readiness.
Changes:
- Introduces revision management guidance (modes, traffic splitting, rollback) with Bicep/Terraform/CLI examples
- Adds day-2 operational runbooks (restart/exec/logs/env updates/secrets & rotation)
- Documents networking patterns (ingress modes, VNet integration, custom domains/TLS, IP restrictions)
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| plugin/skills/azure-prepare/references/services/container-apps/revisions.md | New doc for revision modes, traffic splitting patterns, rollback, and IaC examples |
| plugin/skills/azure-prepare/references/services/container-apps/networking.md | New doc for ingress/VNet/custom domain/TLS/IP restriction guidance |
| plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md | New doc for day-2 ops tasks including logs, exec, env/secret updates, rotation workflow |
| | `Multiple` | Multiple revisions run simultaneously with traffic splitting | Production blue/green, canary | | ||
|
|
||
| ## Setting Revision Mode (Bicep) | ||
|
|
There was a problem hiding this comment.
This Bicep example implies you can configure traffic weights to two specific revisions (${appName}--v1/--v2) at deploy time, but a single Container App deployment only creates one new revision. Referencing non-existent revisions is likely to fail validation or be misleading. Consider showing only activeRevisionsMode: 'Multiple' in the Bicep snippet, and document traffic splitting as a follow-up step once the additional revision exists (or use latestRevision: true / label-based routing examples where applicable).
| ### Blue/Green Deployment | ||
|
|
||
| Route 100% to the current revision, deploy a new one, validate, then switch: | ||
|
|
There was a problem hiding this comment.
The note about new revisions getting 0% traffic is stated as unconditional and the follow-up uses a hard-coded-looking revision name ($APP--new-rev). In practice, whether the new revision receives traffic depends on existing traffic rules, and revision names are not predictable. Suggest updating the guidance to (1) explain the conditional behavior (e.g., existing weights remain; otherwise latest may receive 100%), and (2) show using an explicit $NEW_REVISION value derived from az containerapp revision list or use labels and --label-weight for stable/canary routing.
| Revert instantly by redirecting all traffic to the previous revision: | ||
|
|
||
| ```bash | ||
| # List active revisions | ||
| az containerapp revision list -n $APP -g $RG -o table | ||
|
|
||
| # Roll back to previous revision | ||
| az containerapp ingress traffic set -n $APP -g $RG \ | ||
| --revision-weight "$APP--previous-rev=100" |
There was a problem hiding this comment.
The rollback example uses $APP--previous-rev as if “previous” were a valid revision identifier. Since revision names aren’t semantic and aren’t predictable, this is likely to mislead readers. Recommend using labels for rollback (e.g., keep stable pointing at the known-good revision and shift --label-weight stable=100) or instruct readers to copy/paste the actual revision name from az containerapp revision list.
| Revert instantly by redirecting all traffic to the previous revision: | |
| ```bash | |
| # List active revisions | |
| az containerapp revision list -n $APP -g $RG -o table | |
| # Roll back to previous revision | |
| az containerapp ingress traffic set -n $APP -g $RG \ | |
| --revision-weight "$APP--previous-rev=100" | |
| Revert instantly by redirecting all traffic to a known-good revision (for example, one labeled `stable`): | |
| ```bash | |
| # List active revisions and confirm which one is labeled "stable" | |
| az containerapp revision list -n $APP -g $RG -o table | |
| # Roll back by sending 100% of traffic to the "stable" label | |
| az containerapp ingress traffic set -n $APP -g $RG \ | |
| --label-weight stable=100 |
| } | ||
| ``` | ||
|
|
||
| > 💡 **Tip:** Internal apps get a `*.internal.<env-default-domain>` FQDN accessible only within the VNet. |
There was a problem hiding this comment.
This overstates the accessibility constraint: internal ingress is not inherently “VNet-only” in all cases; it’s primarily non-internet accessible and is reachable from within the Container Apps environment, and (when the environment is VNet-injected) also from the VNet. Suggest rewording to distinguish 'within the environment' vs 'within the VNet' (when applicable) to avoid incorrect operational expectations.
| Azure automatically provisions and renews TLS certificates for custom domains — no manual cert management required. | ||
|
|
||
| ## IP Restrictions | ||
|
|
There was a problem hiding this comment.
The ipSecurityRestrictions entries don’t specify an explicit evaluation order (e.g., priority/rulePriority). If the platform/API requires a priority field (or if ordering is otherwise not guaranteed), this snippet may fail deployment or behave unpredictably. Recommend adding explicit priorities (and ensuring deny-all is evaluated last) to make the example deterministic and valid.
| ## Secret Management | ||
|
|
||
| ### Create and Update Secrets | ||
|
|
There was a problem hiding this comment.
The example uses a real-looking plaintext password value in a command. Even as documentation, this can normalize unsafe patterns and increases the risk of copy/paste into shells/history. Suggest replacing with a clear placeholder (e.g., <password>), and adding a short note to prefer Key Vault references and avoid putting secrets in command lines (shell history/CI logs).
Details# 🔍 Token Analysis Report
fatal: path 'plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md' exists on disk, but not in 'origin/main' 📊 Token Change ReportComparing Summary
Changed Files
📊 Token Limit Check ReportChecked: 527 files
|
| File | Tokens | Limit | Over By |
|---|---|---|---|
.github/skills/analyze-test-run/SKILL.md |
2471 | 500 | +1971 |
.github/skills/file-test-bug/SKILL.md |
628 | 500 | +128 |
.github/skills/sensei/README.md |
3531 | 2000 | +1531 |
.github/skills/sensei/SKILL.md |
2382 | 500 | +1882 |
.github/skills/sensei/references/EXAMPLES.md |
3707 | 2000 | +1707 |
.github/skills/sensei/references/LOOP.md |
4181 | 2000 | +2181 |
.github/skills/sensei/references/SCORING.md |
3927 | 2000 | +1927 |
.github/skills/skill-authoring/SKILL.md |
817 | 500 | +317 |
plugin/skills/appinsights-instrumentation/SKILL.md |
908 | 500 | +408 |
plugin/skills/azure-ai/SKILL.md |
817 | 500 | +317 |
plugin/skills/azure-aigateway/SKILL.md |
1258 | 500 | +758 |
plugin/skills/azure-aigateway/references/policies.md |
2342 | 2000 | +342 |
plugin/skills/azure-cloud-migrate/references/services/functions/lambda-to-functions.md |
2600 | 2000 | +600 |
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/javascript.md |
2181 | 2000 | +181 |
plugin/skills/azure-compliance/SKILL.md |
1185 | 500 | +685 |
plugin/skills/azure-compute/SKILL.md |
755 | 500 | +255 |
plugin/skills/azure-compute/workflows/vm-recommender/vm-recommender.md |
2393 | 2000 | +393 |
plugin/skills/azure-compute/workflows/vm-troubleshooter/references/cannot-connect-to-vm.md |
7308 | 2000 | +5308 |
plugin/skills/azure-cost-optimization/SKILL.md |
3900 | 500 | +3400 |
plugin/skills/azure-deploy/SKILL.md |
1562 | 500 | +1062 |
plugin/skills/azure-diagnostics/SKILL.md |
1132 | 500 | +632 |
plugin/skills/azure-diagnostics/aks-troubleshooting/networking.md |
2147 | 2000 | +147 |
plugin/skills/azure-diagnostics/aks-troubleshooting/node-issues.md |
2003 | 2000 | +3 |
plugin/skills/azure-enterprise-infra-planner/SKILL.md |
991 | 500 | +491 |
plugin/skills/azure-enterprise-infra-planner/references/constraints/compute-apps.md |
2022 | 2000 | +22 |
plugin/skills/azure-hosted-copilot-sdk/SKILL.md |
608 | 500 | +108 |
plugin/skills/azure-kubernetes/SKILL.md |
2266 | 500 | +1766 |
plugin/skills/azure-kusto/SKILL.md |
2149 | 500 | +1649 |
plugin/skills/azure-messaging/SKILL.md |
967 | 500 | +467 |
plugin/skills/azure-prepare/SKILL.md |
2607 | 500 | +2107 |
plugin/skills/azure-prepare/references/aspire.md |
2991 | 2000 | +991 |
plugin/skills/azure-prepare/references/plan-template.md |
2559 | 2000 | +559 |
plugin/skills/azure-prepare/references/recipes/azd/terraform.md |
3012 | 2000 | +1012 |
plugin/skills/azure-prepare/references/resources-limits-quotas.md |
3322 | 2000 | +1322 |
plugin/skills/azure-prepare/references/security.md |
2092 | 2000 | +92 |
plugin/skills/azure-prepare/references/services/functions/bicep.md |
3065 | 2000 | +1065 |
plugin/skills/azure-prepare/references/services/functions/templates/SPEC-composable-templates.md |
6187 | 2000 | +4187 |
plugin/skills/azure-prepare/references/services/functions/templates/recipes/composition.md |
4649 | 2000 | +2649 |
plugin/skills/azure-prepare/references/services/functions/terraform.md |
3358 | 2000 | +1358 |
plugin/skills/azure-quotas/SKILL.md |
3445 | 500 | +2945 |
plugin/skills/azure-quotas/references/commands.md |
2644 | 2000 | +644 |
plugin/skills/azure-resource-lookup/SKILL.md |
1279 | 500 | +779 |
plugin/skills/azure-resource-visualizer/SKILL.md |
2054 | 500 | +1554 |
plugin/skills/azure-storage/SKILL.md |
1180 | 500 | +680 |
plugin/skills/azure-upgrade/SKILL.md |
1001 | 500 | +501 |
plugin/skills/azure-upgrade/references/services/functions/automation.md |
3463 | 2000 | +1463 |
plugin/skills/azure-upgrade/references/services/functions/consumption-to-flex.md |
2773 | 2000 | +773 |
plugin/skills/azure-validate/SKILL.md |
906 | 500 | +406 |
plugin/skills/entra-app-registration/SKILL.md |
2068 | 500 | +1568 |
plugin/skills/entra-app-registration/references/api-permissions.md |
2545 | 2000 | +545 |
plugin/skills/entra-app-registration/references/cli-commands.md |
2211 | 2000 | +211 |
plugin/skills/entra-app-registration/references/console-app-example.md |
2752 | 2000 | +752 |
plugin/skills/entra-app-registration/references/oauth-flows.md |
2375 | 2000 | +375 |
plugin/skills/microsoft-foundry/SKILL.md |
2870 | 500 | +2370 |
plugin/skills/microsoft-foundry/foundry-agent/create/create.md |
3016 | 2000 | +1016 |
plugin/skills/microsoft-foundry/foundry-agent/deploy/deploy.md |
5511 | 2000 | +3511 |
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/eval-datasets.md |
2342 | 2000 | +342 |
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/references/trace-to-dataset.md |
4268 | 2000 | +2268 |
plugin/skills/microsoft-foundry/foundry-agent/observe/observe.md |
2547 | 2000 | +547 |
plugin/skills/microsoft-foundry/foundry-agent/trace/references/kql-templates.md |
2701 | 2000 | +701 |
plugin/skills/microsoft-foundry/models/deploy-model/SKILL.md |
1640 | 500 | +1140 |
plugin/skills/microsoft-foundry/models/deploy-model/capacity/SKILL.md |
1739 | 500 | +1239 |
plugin/skills/microsoft-foundry/models/deploy-model/customize/SKILL.md |
2235 | 500 | +1735 |
plugin/skills/microsoft-foundry/models/deploy-model/customize/references/customize-workflow.md |
3335 | 2000 | +1335 |
plugin/skills/microsoft-foundry/models/deploy-model/preset/SKILL.md |
1226 | 500 | +726 |
plugin/skills/microsoft-foundry/models/deploy-model/preset/references/preset-workflow.md |
5534 | 2000 | +3534 |
plugin/skills/microsoft-foundry/quota/quota.md |
2129 | 2000 | +129 |
plugin/skills/microsoft-foundry/quota/references/capacity-planning.md |
2029 | 2000 | +29 |
plugin/skills/microsoft-foundry/references/sdk/foundry-sdk-py.md |
2162 | 2000 | +162 |
Consider moving content to
references/subdirectories.
Automated token analysis. See skill authoring guidelines for best practices.
Closes #1611 | Parent: #1608
3 files: revisions.md (traffic splitting, rollback), day2-operations.md (restart, exec, log streaming), networking.md (VNet, ingress, custom domains).