Hi,
to deploy an app using a Windows Container with CLI. Follow these steps:
- Create a new resource group (optional)
az group create -n <groupName> -l <location>
- Create a new App Service plan to host the App. Windows Container Apps cannot be hosted in the same App Service Plan as Windows Code Apps or Linux Apps. They require an App Service Plan of their own and must use the Premium v3 SKU family. The --hyper-v flag enables this plan to host Windows Containers in this App Service Plan
az appservice plan create -g <groupName> -n <planName> --sku p1v3 --hyper-v
3a. To create a webapp with an image from an Azure Container Registry or other Container Registry with username and password execute the following command
az webapp create -g <groupName> -p <planName> -n <appName> --deployment-container-image-name myacr.azurecr.io/myimage:mytag --docker-registry-server-user <registryUserName> --docker-registry-server-password <registryPassword>
3b. To create a webapp which pulls an image from an Azure Container Registry using System assigned Managed Identity. User assigned identities can also be used (https://learn.microsoft.com/azure/app-service/configure-custom-container?tabs=debian&pivots=container-windows#use-managed-identity-to-pull-image-from-azure-container-registry)
az webapp create -g <groupName> -p <planName> -n <appName> --deployment-container-image-name mcr.microsoft.com/azure-app-service/windows/parkingpage:latest --assign-identity
az webapp identity show -g <groupName> -p <planName> -n <appName> --query principalId --output tsv
az acr show -g <groupName> -n <registryName> --query id --output tsv
az role assignment create --assignee <principalId> --scope <registry-resource-id> --role "AcrPull"
az webapp config set -g <groupName> -n <appName> --generic-configurations '{\"acrUseManagedIdentityCreds\": true}'
az webapp config container set -g <groupName> -n <appName> --docker-custom-image-name myacr.azurecr.io/myimage:mytag
This set of steps creates a web app using a quickstart image, assigns the identity to the webapp, creates the ACR Pull Role assignment for that identity and then updates the webapp to pull the image using managed identity and updates the image details to pull the image from the protected registry. At the time of app creation the app does not have an identity to validate that the image being pulled is a) a Windows image and as the permissions haven't been granted to pull the image.
We will work on making this experience simpler and more consistent with the App Service Linux behaviour when the image is behind an Managed Identity secured Azure Container Registry, and also add more samples to our CLI documentation.