Blue/Green Deployment Strategy for .NET Aspire + Azure Container Apps + Azure Developer CLI

Question

Blue/Green Deployment Strategy for .NET Aspire + Azure Container Apps + Azure Developer CLI

Faisal Riaz 150

We have a production environment built using .NET Aspire, deployed to Azure Container Apps (ACA).

Our deployments are primarily done through a CI/CD pipeline configured using azd pipeline config (Azure Developer CLI generated pipeline). As a fallback mechanism, we occasionally use azd up manually if the pipeline is unavailable or requires emergency deployment.

Current architecture includes:

Azure Application Gateway v2 (WAF)
Internal Azure Container Apps Environment
Multiple container apps:
- portal-app
  - admin-app
    - portal-api
      - admin-api
        
        background jobs
        
        Private DNS Zones
        
        Azure Key Vault
        
        IAM VM / NGINX reverse proxy
        
        Private endpoints for DB and Key Vault
        
        Internal Load Balancer
        
        Managed identities

Current Deployment Model

CI/CD pipeline generated and configured using:
- azd pipeline config
Infrastructure and application deployment managed through:
- Azure Developer CLI (azd)
- .NET Aspire orchestration
Emergency/manual deployments are occasionally executed using:
- azd up

Currently, deployments update the existing Azure Container Apps environment directly.

Requirement

Clients are requesting a Blue/Green deployment strategy with:

Near-zero downtime
Easy rollback capability
Ability to validate a new release before switching production traffic
Minimal impact on private networking and internal services
Compatibility with:
- .NET Aspire
- Azure Developer CLI (azd)
- Existing CI/CD pipelines

Questions

What is the recommended approach for implementing Blue/Green deployments with Azure Container Apps in this type of architecture?
Considering we use .NET Aspire and azd pipeline config, what is the Microsoft-recommended deployment pattern?
Should we:
- Maintain separate Container Apps environments (blue/green)?
- Maintain separate Aspire environments/stamps?
- Use separate Application Gateway backend pools?
How does Blue/Green deployment work when using:
- Internal-only ACA ingress
- Application Gateway WAF
- Private DNS Zones
- Managed identities
- Private endpoints
- VNet peering
How should CI/CD pipelines generated via azd pipeline config be adapted to support:
- Blue/Green deployments
- Pre-production validation
- Automated rollback
- Traffic switching
What are the best practices for:
- Secret and certificate management
- Rollback strategy
1. Are there any Microsoft reference architectures, sample repositories, or enterprise guidance for Blue/Green deployments using:
  - Azure Container Apps
    - .NET Aspire
      - Azure Developer CLI (azd)

Any recommendations, production experiences, or official guidance would be greatly appreciated.

Pravallika KV 15,460 Reputation points Microsoft External Staff Moderator

2026-05-07T12:09:08.11+00:00
Hi @Faisal Riaz ,

Thanks for reaching out to Microsoft Q&A.

It looks like you’re aiming for a true Blue/Green deployment on Azure Container Apps with .NET Aspire and azd-driven pipelines zero downtime, easy rollback, private networking…it’s all doable with Container Apps’ built-in revision & traffic-splitting features.

Check the below approach, some pipeline patterns and best practices:

Leverage Container Apps revisions & traffic splitting

Enable multiple active revisions in your Container Apps (configuration.activeRevisionsMode=“multiple”).

Deploy each new version as a new revision and label it “green” (old revision is “blue”).

Assign 0% weight to green initially, perform validation against its label-specific FQDN (e.g. green.<your-app>.azurecontainerapps.io).

Once validated, shift 100% traffic to green: az containerapp ingress traffic set --name <app> --resource-group <rg> --label-weight blue=0 green=100

If something goes wrong, simply switch back to blue by reverting weights.

Keeping it all inside your existing ACA Environment vs. separate stamps

Recommended: Single Container Apps environment. You don’t need two separate ACA environments—revisions/labels handle traffic isolation.

You’ll still use your internal VNet-isolated Container Apps environment. Traffic routing is managed by your internal App Gateway plus Private DNS.

Application Gateway backend pools can reference the labeled FQDNs or the Container Apps custom domain, so you just update route weight in App GW when switching.

Integrating with Azure Developer CLI / azd pipelines

azd pipeline config can be extended with extra steps:

Step “Build & publish” pushes a new Docker image.

Step “Deploy green revision” runs az containerapp update/create with --revision-suffix and --label green, weight 0.

Step “Validate” runs your smoke/performance tests against green label URL.

Step “Traffic switch” (conditional on tests) runs az containerapp ingress traffic set to shift 100% to green.

Step “Rollback” (on test or production failure) reverses the weights back to blue.

You can implement those as Azure DevOps YAML jobs or GitHub Actions, just wrap the azure-cli calls.

Networking, DNS & App Gateway considerations

Internal-only ingress: your Container Apps environment sits in the VNet, and the App Gateway (WAF v2) fronts it.

Use Azure Private DNS Zones for your custom domain and map both blue and green labels (or use CNAME to the built-in FQDN).

App Gateway backend pools can point to the ACA internal endpoint via private IP or FQDN. When you switch traffic, you can either:

Update App GW routing rules/CSS to point to the new label FQDN, or

Keep App GW untouched and rely on Container Apps’ built-in traffic weights (preferred).

Managed identities, key vault private endpoints, DB endpoints, etc. all remain unchanged because you’re not tearing down environments only spinning up new revisions.

Secrets & certificates

Store all secrets/certs in Azure Key Vault.

Use Container Apps’ Key Vault references (via managed identity) so each revision automatically picks up the right values.

With .NET Aspire you can wire IConfiguration to Azure Key Vault references, so no changes needed between blue/green.

Rollback strategy

Keep the last stable revision labeled “blue.” Never delete it until green has been live and stable for your SLA window.

In your pipeline maintain a pointer or variable for the last known good revision ID—so you can automate the rollback script easily.

Reference architectures & samples

Official Blue/Green in Container Apps (azure-cli & Bicep)

GitHub sample workflow “containerapps-blue-green”

Deploy a Container Apps environment into a VNet

Quickstart: create an environment and container app via CLI
Faisal Riaz 150 Reputation points

2026-05-08T05:37:30.1+00:00

Thanks @Pravallika KV for your reply.
Infrastructure details i shared are already established and working. Now I want to implement Blue/Green Deployment.
I have following queries/confusions:
1- Do i need to change my Aspire.Appshost Program.cs ? I think yes but how ?
2- Do i need to add Blue/Green deployment suffix ? I think yes, but keeping in view of my project where should i change it ?
3- Do i need to change infra/bicep files ? i think yes but would it be change automatically based on my apphost program.cs / manifest file ?
4- Do i need to change my existing azd pipeline config yaml file for blue/green deployment ? I think yes and how to switch between blue and green deployment in the same pipeline or different pipeline? How should i change my existing pipeline.
5- I am using sequential deployment with templates.
6- What would be the effect on cache and background server with respect to Green/Blue deployment since there is almost no change in both containers for each deployment.

Hope I am able to convey my point.
Faisal Riaz 150 Reputation points

2026-05-11T04:46:27.1966667+00:00

Thanks for comprehensive reply, will try out the recommended solution and revert back in case of any issues.

Answer accepted by question author

0 additional answers

Your answer

Faisal Riaz 150 Reputation points

2026-05-08T05:37:30.1+00:00

Thanks @Pravallika KV for your reply.
Infrastructure details i shared are already established and working. Now I want to implement Blue/Green Deployment.
I have following queries/confusions:
1- Do i need to change my Aspire.Appshost Program.cs ? I think yes but how ?
2- Do i need to add Blue/Green deployment suffix ? I think yes, but keeping in view of my project where should i change it ?
3- Do i need to change infra/bicep files ? i think yes but would it be change automatically based on my apphost program.cs / manifest file ?
4- Do i need to change my existing azd pipeline config yaml file for blue/green deployment ? I think yes and how to switch between blue and green deployment in the same pipeline or different pipeline? How should i change my existing pipeline.
5- I am using sequential deployment with templates.
6- What would be the effect on cache and background server with respect to Green/Blue deployment since there is almost no change in both containers for each deployment.

Hope I am able to convey my point.
Faisal Riaz 150 Reputation points

2026-05-11T04:46:27.1966667+00:00

Thanks for comprehensive reply, will try out the recommended solution and revert back in case of any issues.

Answer 1

Faisal Riaz, Please find responses to your questions below:

Changes required in Aspire.AppHost Program.cs

In most cases, no major changes are required in Aspire.AppHost Program.cs.

Blue/Green deployment with Azure Container Apps is primarily handled through:

ACA revisions
Revision labels
Traffic switching
CI/CD orchestration

Your Aspire AppHost can generally remain unchanged.

Optionally, you may add deployment slot/environment metadata, logging tags, telemetry attributes

Example:

DEPLOYMENT_SLOT = blue/green
revision identifier for diagnostics

However, separate Aspire manifests or separate AppHost projects are typically NOT required for ACA revision-based Blue/Green deployments.

Blue/Green deployment suffix

Yes, using revision suffixes is recommended.

However, the suffix should normally be added during deployment/pipeline execution, not directly inside the application code.

Recommended approach:

Add revision suffix in Azure CLI deployment commands within the pipeline.

Example: az containerapp update --revision-suffix green-$(Build.BuildId)

This allows ACA to create separate revisions such as:

portal-api--blue-123
portal-api--green-124

This is the preferred enterprise approach because:

deployment logic stays outside application code
easier rollback
easier automation

Changes required in infra/bicep

Yes, some infra changes are required. Most important change is enabling multiple active revisions in Azure Container Apps.

Example: activeRevisionsMode: 'multiple'

Without this configuration, ACA replaces the old revision automatically, which prevents Blue/Green deployment behavior.

Regarding automatic updates:

Aspire manifest/AppHost changes do NOT automatically handle all ACA revision settings.
It is recommended to explicitly define revision configuration inside your Bicep/IaC templates.

Usually only minimal Bicep changes are required:

activeRevisionsMode
optional ingress traffic configuration

No major redesign of networking resources should be necessary.

Changes required in existing azd pipeline YAML Yes, the pipeline requires the most significant changes for Blue/Green deployment.

Recommended flow within the SAME pipeline:

Build image
Deploy Green revision
Assign 0% traffic initially
Run validation/smoke tests
Switch traffic to Green
Keep Blue revision available for rollback
Rollback automatically if validation fails

Recommended deployment pattern:

Build → Deploy Green Revision → Validate Green → Manual Approval (optional) → Switch Traffic → Monitor → Retain Blue for rollback window

Traffic switching can be performed using: az containerapp ingress traffic set

Example: az containerapp ingress traffic set --label-weight blue=0 green=100

Rollback: az containerapp ingress traffic set --label-weight blue=100 green=0

A single pipeline is generally recommended instead of maintaining separate Blue/Green pipelines because:

easier orchestration
simpler approvals
centralized rollback logic
better traceability

Sequential deployment with templates Sequential deployment is completely fine and actually aligns well with Blue/Green strategies.

Recommended approach:

Deploy all services sequentially to Green revisions first
Validate the full environment
Switch traffic only after the entire deployment succeeds

This avoids version mismatch scenarios between APIs/frontend/background services.

Effect on cache and background services This is an important consideration.

Cache: If shared cache (Redis etc.) is used, Blue and Green revisions will typically share the same cache.

Recommended best practices:

Keep cache contracts backward compatible
Avoid breaking serialization changes
Prefer versioned cache keys if schema changes occur

Example: customer:v2:123 instead of: customer:123

Background services / workers: This area requires extra attention.

Potential issue:

Both Blue and Green worker revisions may process the same queue simultaneously
This can lead to duplicate processing or race conditions

Recommended approach:

APIs/UI → use Blue/Green revisions
Background workers → keep only one active revision

For workers/consumers/schedulers:

scale old revision to 0 before enabling new revision OR
deploy workers separately from API traffic switching

This is usually the safest enterprise pattern for queue-based workloads.

Overall recommendation:

For your current architecture, the recommended production approach is:

Single ACA Environment
Multiple ACA revisions
Revision labels (blue/green)
Traffic switching through ACA ingress
Same App Gateway/WAF
Same Private DNS
Same Key Vault and private endpoints
Pipeline-driven validation and rollback

Pravallika KV 15,460 Reputation points Microsoft External Staff Moderator

2026-05-12T14:21:46.2566667+00:00

@Faisal Riaz Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.

Share via

Blue/Green Deployment Strategy for .NET Aspire + Azure Container Apps + Azure Developer CLI

Current Deployment Model

Requirement

Questions

0 additional answers

Your answer