Zhihui Zhang (GK), Technical Led


Run containerized applications in Web App for Containers

Azure provides several ways to run containerized applications:

  • In a virtual machine
  • In a Azure Kubernetes Service
  • In a Web App for Containers
  • In a Container Instance

There are several benifits to deploy containerized applications in Web App for Containers:

  • The platform automatically takes care of OS patching, capacity provisioning, and load balancing.
  • App Service creates an association with the selected repository, so your apps are updated each time your source code changes
  • Automatically scale vertically and horizontally based on application needs, like a traditional App Service
  • Use deployment slots to swap staging to production in seconds, or roll back to previous versions without downtime
  • Other great out of box features like Azure Monitor, High Availability & Enterprice-grade services

Create a Web App for Containers

A Web App can be created either from the Azure Portal or from the Azure CLI.

Create from the Azure Portal

In Azure portal, create a resource by finding the resource type 'Web App for Containers'.

During the creating steps, there is an extra configuration "Configure container" which is not in a traditional Web App. This configuration is to specify where the docker image is from. The docker image can be from docker hub, Azure container registries or any other private registries.

If you're trying to create a multiple containers app, a docker-compose co`nfiguration can be specified by uploading a yaml file or just filling up the content of the configuration

Create from the Azure CLI

To create a single container app:

az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --deployment-container-image-name <docker-ID>/mydockerimage:v1.0.0

To create a multiple containers app:

az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --multicontainer-config-type compose --multicontainer-config-file mycompose.yml

Configure environment variables

If you need to set an environment variable for your application, simply add an App Setting in the Azure portal. When your app runs, we will inject the app setting into the process as an environment variable automatically.

App settings can be set from the Azure portal or from the Azure CLI, for example to set the exposed port with 'WEBSITES_PORT':

az webapp config appsettings set --resource-group myResourceGroup --name <app_name> --settings WEBSITES_PORT=8000


Only alpha-numeric characters and the underscore character are allowed for an App Setting's name

You can use an app setting called WEBSITES_ENABLE_APP_SERVICE_STORAGE to control whether or not the /home directory of your app is mapped to Azure Storage. If you need files to be persisted in scale operations or across restarts, you should add this app setting and set it to "true". If you don't require file persistence, you can set this app setting to false.

Enable storage persistence (Volumes of a container)

There are 2 ways to persist mounted volumes of containers in a Web App for Container:

Option 1

Persist /home directory in an App Service by setting App Setting WEBSITES_ENABLE_APP_SERVICE_STORAGE to true, and mount a docker volume to the /home directory, for example, configure the volumes in the docker-compose file:

version: '3.3'
    image: microsoft/multicontainerwordpress
      - ${WEBAPP_STORAGE_HOME}/site/wwwroot:/var/www/html
      - "8000:80"
    restart: always

${WEBAPP_STORAGE_HOME} is an environment variable in App Service that is mapped to persistent storage for your app

Option 2:

Link a storage account to the Web App for containers (still in preview)

  • Create a Azure file share from the portal:

or via the CLI:

az storage share create --name files --quota 2048 --connection-string myconnectionstring

Link the storage using CLI

az webapp config storage-account add -g RESOURCE_GROUP -n APP_NAME \
--custom-id CustomId [Unique identifier for this storage mapping] \
--storage-type [Azure storage type: AzureFiles or AzureBlob] \
--account-name [Azure storage account name] \
--share-name [Azure storage share/file name] \
--access-key [storage access key] \
--mount-path [/path/to/mount within the container]


az webapp config storage-account add -g AppSvcBYOSDemoSite -n AppSvcBYOSDemoSite -custom-id MediaVolume -storage-type AzureBlob -account-name appsvcbyosdemo -share-name mediablob -access-key <youraccesskey> -mount-path /var/myapp


  "MediaVolume": {
    "accessKey": "youraccesskey",
    "accountName": "appsvcbyosdemo",
    "mountPath": "/var/myapp",
    "shareName": "mediablob",
    "state": "Ok",
    "type": "AzureBlob"

At this point, your web application will have the storage mounted at /var/media and your web application has full access to this storage. If you want to use the mounted storage account in a Multi-container web app, you need to specify thecustom-idof your storage account in the volumes block of your container definition in the Docker-Compose or Kubernetes yaml file, for example:

version: "3"
        image: “mydocker/image:latest”
            - "80:80"
            - MediaVolume:/var/media
        image: "redis:alpine"

Connect to Web App for Containers using SSH

SSH enables secure communication between a container and a client. In order for a custom Docker image to support SSH, you must build it into a Dockerfile. You enable SSH in the Docker file itself.

  •  RUN instruction that calls apt-get, then sets the password for the root account to "Docker!".
ENV SSH_PASSWD "root:Docker!"
RUN apt-get update \
        && apt-get install -y --no-install-recommends dialog \
        && apt-get update \
  && apt-get install -y --no-install-recommends openssh-server \
  && echo "$SSH_PASSWD" | chpasswd


This configuration does not allow external connections to the container. SSH is available only through the Kudu/SCM Site. The Kudu/SCM site is authenticated with the publishing credentials.

A COPY instruction that instructs the Docker engine to copy the sshd_config file to the /etc/ssh/ directory. Your configuration file should be based on this "sshd_config" file.

COPY sshd_config /etc/ssh/


The sshd_config file must include the following items:
Ciphers must include at least one item in this list: aes128-cbc,3des-cbc,aes256-cbc.
MACs must include at least one item in this list: hmac-sha1,hmac-sha1-9

An EXPOSE instruction that exposes port 2222 in the container. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal port accessible only by containers within the bridge network of a private virtual network. After that, commands copy SSH configuration details and start the ssh service.

EXPOSE 8000 2222

Make sure to start the ssh service by using a shell script in the /bin directory.

service ssh start

Web App for Containers does not allow external connections to the container. SSH is available only through the Kudu site, which is accessible at https://.scm.azurewebsites.net.