Share via

Azure Container App Not Scaling Down to Zero

Rhodri Hewitson 0 Reputation points
2025-03-11T15:04:09.14+00:00

Issue Description

I have an Azure Container App that is not scaling down to zero. The app consists of two containers:

  1. FusionAuth (deployed on an internally exposed port).
  2. NGINX reverse proxy (exposed on port 80, forwarding requests to port 9011).

The reason for using NGINX is that FusionAuth detected a mismatch between the reported request origin and the actual HTTP request origin, which was causing CSRF validation failures.

However, I noticed that when I run FusionAuth without the NGINX proxy, the system scales down correctly. But when NGINX is in use, the system does not scale down.

Configuration Details

Below is the Bicep script that provides some details about the deployment configuration. However, it's important to mention that this script has dependencies and additional configurations that are not included here.

NGINX Configuration:

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    server_names_hash_bucket_size 128;

    include conf.d/reverse-proxy.conf;
}

NGINX Reverse Proxy Template

server {
    listen 80;
    server_name ${CONTAINER_APP_HOSTNAME};  

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;
        proxy_http_version 1.1;
        proxy_set_header Connection "close";

        proxy_pass http://fusion-auth:9011;
    }
}

Bicep Deployment

resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
  name: 'fusion-auth'
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  tags: tags
  properties: {
    managedEnvironmentId: containerAppEnvironmentId
    configuration: {
      activeRevisionsMode: 'single'
      ingress: {
        external: true
        targetPort: 80
        transport: 'http'
        allowInsecure: false
        additionalPortMappings: [
          {
            exposedPort: 9011
            external: false
            targetPort: 9011
          }
        ]
      }
      secrets: [
        {
          name: 'nginx-config'
          value: nginxConfig
        }
        {
          name: 'nginx-template'
          value: nginxTemplate
        }
        // More secrets
      ]
    }
    template: {
      containers: [
        {
          name: 'nginx'
          image: 'nginx:1.27.4'
          volumeMounts: [
            {
              volumeName: 'nginx-config'
              mountPath: '/etc/nginx/'
            }
            {
              volumeName: 'nginx-template'
              mountPath: '/etc/nginx/templates/'
            }
            {
              mountPath: '/etc/nginx/conf.d'
              volumeName: 'confd'
            }
          ]
         // More configuration
        }
        {
          name: 'fusion-auth'
          image: 'docker.io/fusionauth/fusionauth-app:1.55.1'
          // More configuration
        }
      ]
	  probes: [
          {
            type: 'liveness'
            httpGet: {
              path: '/api/status'
              port: 9011
            }
            initialDelaySeconds: 1
            periodSeconds: 10
          }] 
      }]
      volumes: [
        {
          name: 'nginx-config'
          storageType: 'Secret'
          secrets: [
            {
              path: 'nginx.conf'
              secretRef: 'nginx-config'
            }
          ]
        }
        {
          name: 'nginx-template'
          storageType: 'Secret'
          secrets: [
            {
              path: 'reverse-proxy.conf.template'
              secretRef: 'nginx-template'
            }
          ]
        }
        {
          // This volume is needed since nginx will generate .conf from the reverse-proxy.conf.template and copy it to here
          name: 'confd' 
          storageType: 'EmptyDir'
        }
      ]
      scale: {
        maxReplicas: 1
        minReplicas: 0
      }
    }
  }
}

Additional Notes

  • Excuse the use of secret volumes, this was required to enable nginx configuration files.
  • This deployment setup includes more dependencies that are not part of the provided script.

Expected vs. Actual Behavior

Behavior Without NGINX With NGINX
Scaling Down ✅ Works as expected ❌ Does not scale down

Request for Assistance

I would appreciate any insights into why the Azure Container App fails to scale down to zero when the NGINX reverse proxy is used. Are there any additional configuration changes required for proper scaling?

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
686 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sirra Sneha 550 Reputation points Microsoft External Staff Moderator
    2025-03-21T08:18:17.6233333+00:00

    Hi @Rhodri Hewitson ,

    It looks like the liveness probe might be preventing the container from scaling down to zero. Azure Container Apps continuously check the probe, which can keep the container active even when there’s no traffic.

    I recommend removing the liveness probe from your Bicep configuration and test if the app scales down correctly.

    If you still need health checks, try using a readiness probe instead, which only runs when the container is about to receive traffic:

    probes: [
  {
    type: 'readiness'
    httpGet: {
      path: '/api/status'
      port: 9011
    }
    initialDelaySeconds: 5
    periodSeconds: 30
  }
]

    Please refer MSdoc for better understanding of Health probes in Azure Container Apps.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment

  2. VenkateshDodda-MSFT 24,951 Reputation points Microsoft Employee Moderator
    2025-04-09T04:44:20.03+00:00

    @Rhodri Hewitson Thanks for your patience on this. Glad to know that your problem has been resolved.

    I have summarized our offline discussion and posting the same as answer for the benefit of other community members.

    Issue: Nginx container app is not scaling down to zero.

    Work Around Followed:

    Adding to the suggestion shared by @Sirra Sneha to remove the liveness probes of container apps.

    Customer has investigated further and found that they are using readiness probe of Http rather than TCP which caused the container app not to scale down to zero.

    Hope this helps, let me know if you have any questions.

    Please accept as Yes if the answer is helpful so that it can help others in the community.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.