DEV Community: Mohamed Amine Hlali The latest articles on DEV Community by Mohamed Amine Hlali (@mohamed_amine_hlali). https://dev.to/mohamed_amine_hlali https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3871769%2Ff7dfaefb-bae3-4a49-ab1b-737495fa18ce.png DEV Community: Mohamed Amine Hlali https://dev.to/mohamed_amine_hlali en GitHub Actions + Azure Container Instances: A Hands-On CI/CD Pipeline Mohamed Amine Hlali Fri, 10 Apr 2026 15:36:47 +0000 https://dev.to/mohamed_amine_hlali/github-actions-azure-container-instances-a-hands-on-cicd-pipeline-3cn6 https://dev.to/mohamed_amine_hlali/github-actions-azure-container-instances-a-hands-on-cicd-pipeline-3cn6 <p>I spend a lot of time architecting production Kubernetes environments on AKS, but I often get asked by teammates: <em>"Where do I even start with containers and CI/CD?"</em></p> <p>This post is my answer to that. It's a complete lab start to finish that covers containerizing a simple web app, pushing it to Azure Container Registry, and wiring up a GitHub Actions workflow that automatically deploys to Azure Container Instances on every push. No click-ops, no manual FTP uploads, just a clean automated pipeline.</p> <p>The whole thing should take you around 40–50 minutes on first run.</p> <h2> Why ACI and Not AKS? </h2> <p>Fair question. In production, I'd use AKS for anything serious. But ACI is genuinely perfect for demos, dev environments, and internal tooling it's serverless containers with zero cluster overhead. You push an image, Azure runs it. That simplicity makes it an ideal first step for people wrapping their head around the CI/CD loop.</p> <h2> What We're Building </h2> <p>Here's the pipeline:</p> <ol> <li>A minimal Node.js web app (HTML/CSS/JS, no framework)</li> <li>A Dockerfile to containerize it</li> <li>An Azure Container Registry (ACR) to store the image</li> <li>An Azure Container Instance (ACI) to run it</li> <li>A GitHub Actions workflow that ties it all together push to <code>main</code>, and your app updates automatically</li> </ol> <p><strong>Prerequisites:</strong></p> <ul> <li>Docker Desktop installed and running</li> <li>A GitHub account and a repo</li> <li>An Azure subscription (free trial works)</li> <li>Azure CLI installed</li> </ul> <h2> Step 1 The Application </h2> <p>I'm deliberately keeping the app trivial. The goal here is understanding the deployment pipeline, not React routing or API design.</p> <p><strong><code>index.html</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>My CI/CD Demo App<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"style.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>Hello from Azure!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Deployed automatically via GitHub Actions<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"version"</span><span class="nt">&gt;</span>Version: 1.0.0<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"stack"</span><span class="nt">&gt;</span>Node.js · Docker · Azure Container Instances<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong><code>style.css</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="o">*</span> <span class="p">{</span> <span class="nl">box-sizing</span><span class="p">:</span> <span class="n">border-box</span><span class="p">;</span> <span class="p">}</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s2">'Segoe UI'</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">min-height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">linear-gradient</span><span class="p">(</span><span class="m">135deg</span><span class="p">,</span> <span class="m">#0078d4</span> <span class="m">0%</span><span class="p">,</span> <span class="m">#001a3a</span> <span class="m">100%</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.container</span> <span class="p">{</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">2rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">h1</span> <span class="p">{</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">2.5rem</span><span class="p">;</span> <span class="nl">margin-bottom</span><span class="p">:</span> <span class="m">0.5rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">p</span> <span class="p">{</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">1.2rem</span><span class="p">;</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0.85</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.version</span> <span class="p">{</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">2rem</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">1rem</span> <span class="m">2rem</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span><span class="m">255</span><span class="p">,</span><span class="m">255</span><span class="p">,</span><span class="m">0.12</span><span class="p">);</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">8px</span><span class="p">;</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span><span class="m">255</span><span class="p">,</span><span class="m">255</span><span class="p">,</span><span class="m">0.2</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.stack</span> <span class="p">{</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">0.85rem</span><span class="p">;</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0.7</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>server.js</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">http</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">filePath</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">index.html</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ext</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">extname</span><span class="p">(</span><span class="nx">filePath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">contentTypes</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">.html</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text/html</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.css</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text/css</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.js</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/javascript</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">contentType</span> <span class="o">=</span> <span class="nx">contentTypes</span><span class="p">[</span><span class="nx">ext</span><span class="p">]</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">text/plain</span><span class="dl">'</span><span class="p">;</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">filePath</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">content</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">404</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">'</span><span class="s1">Not found</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="nx">contentType</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">; charset=utf-8</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="nx">content</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> </code></pre> </div> <p><strong><code>package.json</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cicd-demo-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"server.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node server.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Step 2 Containerize with Docker </h2> <p>Add a <code>Dockerfile</code> at the root of your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:20-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">--production</span> <span class="k">COPY</span><span class="s"> server.js ./</span> <span class="k">COPY</span><span class="s"> index.html ./</span> <span class="k">COPY</span><span class="s"> style.css ./</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["npm", "start"]</span> </code></pre> </div> <p>What each line does:</p> <ul> <li> <code>FROM node:20-alpine</code> lightweight Linux base image with Node pre-installed</li> <li> <code>WORKDIR /app</code> sets the working directory inside the container</li> <li> <code>COPY package.json</code> → <code>RUN npm install</code> installs dependencies first (layer caching optimization)</li> <li> <code>COPY</code> remaining files copies your app code</li> <li> <code>EXPOSE 3000</code> documents the port your app listens on</li> <li> <code>CMD</code> the command that runs when the container starts</li> </ul> <p>One thing I find useful to emphasize: I didn't have Node.js installed locally when I built this. The container brings its own runtime. That's exactly the point of Docker reproducible environments that eliminate "works on my machine" problems.</p> <p><strong>Build and test locally:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> cicd-demo-app <span class="nb">.</span> docker run <span class="nt">-d</span> <span class="nt">-p</span> 3000:3000 <span class="nt">--name</span> cicd-demo cicd-demo-app </code></pre> </div> <p>Open <code>http://localhost:3000</code> and verify your app is running. Once confirmed, stop the container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker stop cicd-demo <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>cicd-demo </code></pre> </div> <h2> Step 3 Set Up Azure Resources </h2> <p>Everything from here runs in Azure CLI. Start by setting some variables so you're not repeating yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RG_NAME</span><span class="o">=</span><span class="s2">"rg-cicd-demo"</span> <span class="nv">ACR_NAME</span><span class="o">=</span><span class="s2">"acrcicddemodemo"</span> <span class="c"># Must be globally unique, lowercase only</span> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"eastus"</span> <span class="nv">SUBSCRIPTION_ID</span><span class="o">=</span><span class="si">$(</span>az account show <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> </code></pre> </div> <p><strong>Create the Resource Group and Container Registry:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az group create <span class="nt">--name</span> <span class="nv">$RG_NAME</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> az acr create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RG_NAME</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$ACR_NAME</span> <span class="se">\</span> <span class="nt">--sku</span> Basic </code></pre> </div> <p>ACR is essentially your private Docker Hub hosted inside Azure. Every image your pipeline builds gets stored here before it's deployed.</p> <p><strong>Create a Service Principal for GitHub Actions:</strong></p> <p>GitHub Actions needs an identity to authenticate with Azure and push images, create/update containers, etc. A Service Principal scoped to your resource group is the right approach here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az ad sp create-for-rbac <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"sp-github-actions-cicd"</span> <span class="se">\</span> <span class="nt">--role</span> contributor <span class="se">\</span> <span class="nt">--scopes</span> /subscriptions/<span class="nv">$SUBSCRIPTION_ID</span>/resourceGroups/<span class="nv">$RG_NAME</span> </code></pre> </div> <p>The output JSON contains four values keep them safe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"appId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="err">→</span><span class="w"> </span><span class="err">AZURE_CLIENT_ID</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="err">→</span><span class="w"> </span><span class="err">AZURE_CLIENT_SECRET</span><span class="w"> </span><span class="nl">"tenant"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="w"> </span><span class="err">→</span><span class="w"> </span><span class="err">AZURE_TENANT_ID</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And your <code>AZURE_SUBSCRIPTION_ID</code> is just your subscription ID from earlier.</p> <p><strong>Add secrets to your GitHub repository:</strong></p> <p>Go to your repo → <strong>Settings → Secrets and variables → Actions → New repository secret</strong></p> <p>Create these four secrets:</p> <ul> <li><code>AZURE_CLIENT_ID</code></li> <li><code>AZURE_CLIENT_SECRET</code></li> <li><code>AZURE_TENANT_ID</code></li> <li><code>AZURE_SUBSCRIPTION_ID</code></li> </ul> <p>This is critical for security. We never want credentials hardcoded in workflow files, especially in a public repo. GitHub Secrets are encrypted at rest and only exposed to workflow runs.</p> <h2> Step 4 The GitHub Actions Workflow </h2> <p>Create the file <code>.github/workflows/deploy.yml</code> in your repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy to Azure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Azure login</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">creds</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"clientId": "${{ secrets.AZURE_CLIENT_ID }}",</span> <span class="s">"clientSecret": "${{ secrets.AZURE_CLIENT_SECRET }}",</span> <span class="s">"subscriptionId": "${{ secrets.AZURE_SUBSCRIPTION_ID }}",</span> <span class="s">"tenantId": "${{ secrets.AZURE_TENANT_ID }}"</span> <span class="s">}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Azure Container Registry</span> <span class="na">run</span><span class="pi">:</span> <span class="s">az acr login --name acrcicddemodemo</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push image to ACR</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">az acr build \</span> <span class="s">--registry acrcicddemodemo \</span> <span class="s">--image cicd-demo-app:${{ github.sha }} \</span> <span class="s">--image cicd-demo-app:latest \</span> <span class="s">--file Dockerfile \</span> <span class="s">.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure Container Instances</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">az container create \</span> <span class="s">--resource-group rg-cicd-demo \</span> <span class="s">--name cicd-demo-app \</span> <span class="s">--image acrcicddemodemo.azurecr.io/cicd-demo-app:latest \</span> <span class="s">--registry-login-server acrcicddemodemo.azurecr.io \</span> <span class="s">--registry-username ${{ secrets.AZURE_CLIENT_ID }} \</span> <span class="s">--registry-password ${{ secrets.AZURE_CLIENT_SECRET }} \</span> <span class="s">--dns-name-label cicd-demo-app \</span> <span class="s">--ports 80 \</span> <span class="s">--os-type Linux \</span> <span class="s">--cpu 1 \</span> <span class="s">--memory 1 \</span> <span class="s">--environment-variables PORT=80</span> </code></pre> </div> <p><strong>Breaking down what happens on each run:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><code>checkout</code></td> <td>Pulls the latest code from your repo</td> </tr> <tr> <td><code>azure/login</code></td> <td>Authenticates to Azure using the Service Principal</td> </tr> <tr> <td><code>acr login</code></td> <td>Authenticates to your private container registry</td> </tr> <tr> <td><code>acr build</code></td> <td>Builds the Docker image <strong>in Azure</strong> (not locally) and stores it in ACR with two tags: the commit SHA and <code>latest</code> </td> </tr> <tr> <td><code>container create</code></td> <td>Creates or updates the ACI container group with the new image</td> </tr> </tbody> </table></div> <p>A couple of things worth highlighting:</p> <ul> <li> <strong><code>az acr build</code> runs the Docker build on Azure's infrastructure</strong>, not on the GitHub runner. This means your GitHub runner doesn't need Docker installed, and you avoid pushing large images over the network.</li> <li> <strong>Tagging with <code>${{ github.sha }}</code></strong> gives you immutable image versions per commit you can always roll back to a specific SHA if something breaks.</li> <li> <strong><code>workflow_dispatch</code></strong> lets you trigger the pipeline manually from the GitHub UI without needing to push code. Useful for re-deploys or debugging.</li> </ul> <h2> Step 5 Push and Watch It Run </h2> <p>Commit everything and push to <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Initial deployment: v1.0.0"</span> git push origin main </code></pre> </div> <p>Head to your repository on GitHub → <strong>Actions</strong> tab. You'll see the workflow kick off automatically. Each step will show its status in real time.</p> <p>Once the workflow completes (usually 2–4 minutes), you can find your container's public URL in the Azure Portal under your resource group, or via CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az container show <span class="se">\</span> <span class="nt">--resource-group</span> rg-cicd-demo <span class="se">\</span> <span class="nt">--name</span> cicd-demo-app <span class="se">\</span> <span class="nt">--query</span> ipAddress.fqdn <span class="se">\</span> <span class="nt">-o</span> tsv </code></pre> </div> <p>The URL will look something like <code>cicd-demo-app.eastus.azurecontainer.io</code>. One important note: ACI by default only exposes HTTP on port 80, but modern browsers may try to force HTTPS. If you get a connection error, explicitly use <code>http://</code> in the URL.</p> <h2> Step 6 Test the Continuous Deployment </h2> <p>This is the part that usually gets a reaction from people who haven't seen CI/CD before.</p> <p>Open <code>index.html</code> and change <code>Version: 1.0.0</code> to <code>Version: 2.0.0</code>. Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Bump to v2.0.0"</span> git push </code></pre> </div> <p>Watch the Actions tab. The pipeline triggers again automatically, rebuilds the image with the new code, and updates the running container. No FTP, no SSH, no manual steps. The container updates itself.</p> <p>If you're impatient and want to see the change immediately without waiting for the browser cache or Azure DNS to update:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az container restart <span class="se">\</span> <span class="nt">--name</span> cicd-demo-app <span class="se">\</span> <span class="nt">--resource-group</span> rg-cicd-demo </code></pre> </div> <h2> Cleanup </h2> <p>Don't forget to clean up your Azure resources when you're done to avoid unexpected charges:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az group delete <span class="nt">--name</span> rg-cicd-demo <span class="nt">--yes</span> <span class="nt">--no-wait</span> </code></pre> </div> <p>This removes the resource group, ACR, and ACI in one shot.</p> <h2> What's Next From Here </h2> <p>This lab uses ACI, which is great for experimentation and internal tooling, but has real limitations for production workloads (no auto-scaling, limited health check options, etc.).</p> <p>Here's how I'd think about the progression:</p> <ul> <li> <strong>Azure Container Apps</strong> if you need autoscaling and KEDA-based event-driven scaling without managing a cluster</li> <li> <strong>Azure Kubernetes Service (AKS)</strong> when you're running microservices, need fine-grained networking, or require advanced deployment strategies (blue/green, canary)</li> <li> <strong>Azure App Service</strong> if you just need a web app and don't want to think about containers at all</li> </ul> <p>The CI/CD workflow pattern we built here translates directly to all three. The <code>az container create</code> command becomes <code>az containerapp update</code>, <code>kubectl apply</code>, or <code>az webapp deploy</code> the GitHub Actions structure stays the same.</p> <h2> Key Takeaways </h2> <p>Working through this lab cements a few things that are easy to miss when you're reading about DevOps in the abstract:</p> <p><strong>Containers solve environment parity.</strong> The app runs identically on your laptop, the GitHub runner, and Azure because it carries its own runtime. The classic "works on my machine" problem disappears.</p> <p><strong>CI/CD is just automation with a trigger.</strong> Once you see it push code, pipeline runs, container updates it's hard to go back to manual deployments.</p> <p><strong>Infrastructure as code from day one.</strong> The workflow YAML lives in your repository. Anyone can clone the repo and reproduce the exact same pipeline. That's the difference between a one-off script and an actual engineering practice.</p> <p><strong>Secrets management matters.</strong> Even in a simple demo, keeping credentials out of code and using GitHub Secrets is non-negotiable, especially with public repositories.</p> <p>If you have questions or want to extend this adding health checks, multi-environment pipelines, or integrating with Key Vault for secrets drop a comment below. Happy to dig into any of it.</p> azure webdev ai programming Azure Kubernetes Security: Checklist and Best Practices Mohamed Amine Hlali Fri, 10 Apr 2026 12:47:52 +0000 https://dev.to/mohamed_amine_hlali/azure-kubernetes-security-checklist-and-best-practices-3e89 https://dev.to/mohamed_amine_hlali/azure-kubernetes-security-checklist-and-best-practices-3e89 <p>Kubernetes has become the dominant platform for container orchestration. As cloud-native architecture takes over enterprise IT, securing your Azure Kubernetes Service (AKS) environment is no longer optional it's critical.</p> <p>This guide covers everything you need: how AKS security works, the key challenges, best practices, and a production-ready checklist.</p> <h2> What Is Azure Kubernetes Security? </h2> <p>Azure Kubernetes Security is the set of practices, protocols, and tools that protect Kubernetes clusters running on Microsoft Azure. It covers three main areas:</p> <ul> <li> <strong>Identity &amp; access control</strong> who can do what inside the cluster</li> <li> <strong>Network security</strong> controlling traffic between pods, namespaces, and external services</li> <li> <strong>Continuous monitoring</strong> detecting threats and anomalies in real time</li> </ul> <h2> Why It Matters </h2> <p>Here are the top reasons AKS security deserves serious attention:</p> <ol> <li> <strong>Growing threat landscape</strong> Kubernetes-specific attacks are increasing as cloud adoption grows</li> <li> <strong>Compliance requirements</strong> GDPR, HIPAA, and other regulations mandate proper data protection</li> <li> <strong>High cost of breaches</strong> Beyond data loss: legal fees, fines, and reputational damage</li> <li> <strong>Shared responsibility model</strong> Azure secures the control plane; <em>you</em> secure the workloads</li> <li> <strong>Microservices complexity</strong> Every service-to-service connection is a potential attack vector</li> </ol> <h2> How AKS Security Works </h2> <h3> 1. Identity &amp; Access (AAD + RBAC) </h3> <p>Integrate AKS with Azure Active Directory and enforce Role-Based Access Control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks create <span class="se">\</span> <span class="nt">--resource-group</span> myRG <span class="se">\</span> <span class="nt">--name</span> myAKSCluster <span class="se">\</span> <span class="nt">--enable-aad</span> <span class="se">\</span> <span class="nt">--aad-admin-group-object-ids</span> &lt;group-object-id&gt; </code></pre> </div> <p>Apply least-privilege RBAC roles for developers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer-readonly</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">services"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> </code></pre> </div> <h3> 2. Network Security Default Deny </h3> <p>Block all traffic by default, then allow only what's needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deny-all-ingress</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> </code></pre> </div> <h3> 3. Secrets Management with Azure Key Vault </h3> <p>Never store secrets in YAML manifests. Use the Secrets Store CSI Driver:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">secrets-store.csi.x-k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">SecretProviderClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">azure-kvname</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">azure</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">keyvaultName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">myKeyVault"</span> <span class="na">objects</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">array:</span> <span class="s">- |</span> <span class="s">objectName: mySecret</span> <span class="s">objectType: secret</span> <span class="na">tenantId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;tenant-id&gt;"</span> </code></pre> </div> <h3> 4. Pod Security Standards </h3> <p>Enforce security at the namespace level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/enforce</span><span class="pi">:</span> <span class="s">restricted</span> </code></pre> </div> <h3> 5. Resource Limits </h3> <p>Prevent resource exhaustion attacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">LimitRange</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default-limits</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">default</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">defaultRequest</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Container</span> </code></pre> </div> <h2> Top 5 Best Practices </h2> <p><strong>Use Private Clusters</strong> Remove public API server exposure entirely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks create <span class="se">\</span> <span class="nt">--resource-group</span> myRG <span class="se">\</span> <span class="nt">--name</span> myPrivateCluster <span class="se">\</span> <span class="nt">--enable-private-cluster</span> </code></pre> </div> <p><strong>Enable Defender for Containers</strong> Runtime threat detection at cluster and node level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks update <span class="se">\</span> <span class="nt">--resource-group</span> myRG <span class="se">\</span> <span class="nt">--name</span> myAKSCluster <span class="se">\</span> <span class="nt">--enable-defender</span> </code></pre> </div> <p><strong>Use Managed Identities</strong> Eliminate service principal credential management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks update <span class="se">\</span> <span class="nt">--resource-group</span> myRG <span class="se">\</span> <span class="nt">--name</span> myAKSCluster <span class="se">\</span> <span class="nt">--enable-managed-identity</span> </code></pre> </div> <p><strong>Enable Auto-Upgrade</strong> Stay patched against known CVEs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks update <span class="se">\</span> <span class="nt">--resource-group</span> myRG <span class="se">\</span> <span class="nt">--name</span> myAKSCluster <span class="se">\</span> <span class="nt">--auto-upgrade-channel</span> stable </code></pre> </div> <p><strong>Scan Images in CI/CD</strong> Catch vulnerabilities before they reach production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Trivy vulnerability scanner</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s1">'</span><span class="s">myacr.azurecr.io/myapp:latest'</span> <span class="na">severity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">CRITICAL,HIGH'</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> </code></pre> </div> <h2> AKS Security Checklist ✅ </h2> <h3> Identity &amp; Access </h3> <ul> <li>[ ] AAD integration enabled</li> <li>[ ] RBAC with least-privilege roles enforced</li> <li>[ ] Managed identities used (no service principal secrets)</li> <li>[ ] Workload Identity enabled for pods</li> </ul> <h3> Network </h3> <ul> <li>[ ] Private cluster (no public API server)</li> <li>[ ] Default-deny NetworkPolicies applied</li> <li>[ ] Azure Firewall / NSGs configured</li> <li>[ ] Authorized IP ranges set for API access</li> </ul> <h3> Workloads </h3> <ul> <li>[ ] Pod Security Standards enforced (restricted)</li> <li>[ ] All containers run as non-root</li> <li>[ ] Read-only root filesystem where possible</li> <li>[ ] CPU/memory limits defined for all containers</li> </ul> <h3> Secrets &amp; Data </h3> <ul> <li>[ ] No secrets in manifests or images</li> <li>[ ] Azure Key Vault integrated via CSI Driver</li> <li>[ ] etcd encryption at rest enabled</li> </ul> <h3> Monitoring </h3> <ul> <li>[ ] Microsoft Defender for Containers enabled</li> <li>[ ] Kubernetes audit logs → Log Analytics</li> <li>[ ] Azure Policy for Kubernetes applied</li> <li>[ ] Image scanning in CI/CD pipeline</li> <li>[ ] Auto-upgrade channel configured</li> </ul> <h2> Conclusion </h2> <p>AKS security is a continuous practice not a one-time configuration. The platform gives you a strong foundation with its managed control plane and native integrations, but workload security is your responsibility.</p> <p>Start with the basics: private clusters, AAD + RBAC, Key Vault for secrets, and Defender for monitoring. Then build on that foundation with network policies, pod security standards, and automated image scanning.</p> <p>The checklist above is a solid starting point for any production AKS deployment.</p> azure kubernetes security devops