Frequently asked questions about Azure Container Instances

This article addresses frequently asked questions about Azure Container Instances.

Deployment

How large can my container image be?

The maximum size for a deployable container image on Azure Container Instances is 15 GB. You might be able to deploy larger images depending on the exact availability at the moment you deploy, but larger image size isn't guaranteed.

The size of your container image impacts how long it takes to deploy, so generally you want to keep your container images as small as possible.

How can I speed up the deployment of my container?

Because one of the main determinants of deployment times is the image size, look for ways to reduce the size. Remove layers you don't need, or reduce the size of layers in the image (by picking a lighter base OS image). For example, if you're running Linux containers, consider using Alpine as your base image rather than a full Ubuntu Server. Similarly, for Windows containers, use a Nano Server base image if possible.

You should also check the list of precached images in Azure Container Images, available via the List Cached Images API. You might be able to switch out an image layer for one of the precached images.

See more detailed guidance on reducing container startup time.

What Windows base OS images are supported?

Note

Due to issues with backward compatibility after the Windows updates in 2020, the following image versions include the minimum version number that we recommend you use in your base image. Current deployments using older image versions aren't impacted, but new deployments should adhere to the following base images. After June 14, 2021, ACI will no longer support deployments using older version numbers.

Note

Confidential containers on Azure Container Instances currently doesn't support Windows containers.

Windows Server 2016 base images

Important

From now through 31 December 2022, you can continue to deploy Windows Server 2016 container groups on Azure Container Instances. After this date, Windows Server 2016 images will no longer be supported. See How do I migrate my Windows Server 2016 container groups to Windows Server 2019 images? for instructions on how to transition your workloads.

Note

Windows images based on Semi-Annual Channel release 1709 or 1803 aren't supported.

Windows Server 2019 and client base images

What .NET or .NET Core image layer should I use in my container?

Use the smallest image that satisfies your requirements. For Linux, you could use a runtime-alpine .NET Core image, which has been supported since the release of .NET Core 2.1. For Windows, if you're using the full .NET Framework, then you need to use a Windows Server Core image (runtime-only image, such as 4.7.2-windowsservercore-ltsc2016). Runtime-only images are smaller but don't support workloads that require the .NET SDK.

Note

ACI can't pull images from non OCI-compliant registries.

What types of container registries are compatible with ACI?

ACI supports image pulls from ACR and other third-party container registries such as DockerHub. ACI supports image pulls from ACR and other third-party OCI compatible container registries such as DockerHub with an endpoint that is publicly exposed to the internet.

How do I migrate my Windows Server 2016 container groups to Windows Server 2019 images?

  1. Identify what Windows base image you're currently using.

    If you're pulling directly from Microsoft Container Registry (MCR), then that image name is your base image.

    If you're working with a private registry, you'll need to look at your Dockerfile to identify the base image, which will be stated after the 'FROM' line.

  2. Select the new base image you want to use from Windows Server 2019. Below are some examples of commonly used Windows Server 2016 images on Azure Container Instances and our recommendations for replacement Windows Server 2019 images.

    Windows Server 2016 Image Recommended Windows Server 2019 Images
    mcr.microsoft.com/windows/servercore/iis mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
    mcr.microsoft.com/windows/servercore:ltsc2016 mcr.microsoft.com/windows/servercore:ltsc2019

    Read about image discovery to learn more.

    Note

    If you would like assistance selecting your new base image, please create an Azure Support Ticket.

  3. Follow the Update containers in Azure Container Instances how-to guide to update your ACI container group to use your new base image.

    If you're using MCR for your container registry, you can pass the MCR image name directly into the container group image parameter.

    If you're using a private container registry, please follow the steps in Upgrade containers to a new version of the Windows operating system. Make sure the container group's image registry parameters are updated if you've changed them.

Availability and quotas

How many cores and memory should I allocate for my containers or the container group?

This really depends on your workload. Start small and test performance to see how your containers do. Monitor CPU and memory resource usage, and then add cores or memory based on the kind of processes that you deploy in the container.

Make sure also to check the resource availability for the region you're deploying in for the upper bounds on CPU cores and memory available per container group.

Note

A small amount of a container group's resources is used by the service's underlying infrastructure. Your containers are able to access most but not all of the resources allocated to the group. For this reason, plan a small resource buffer when requesting resources for containers in the group.

What underlying infrastructure does ACI run on?

Azure Container Instances aims to be a serverless containers-on-demand service, so we want you to be focused on developing your containers, and not worry about the infrastructure! For those that are curious or wanting to do comparisons on performance, ACI runs on sets of Azure VMs of various SKUs, primarily from the F and the D series. We expect this to change in the future as we continue to develop and optimize the service.

I want to deploy thousands of cores on ACI - can I get my quota increased?

Yes (sometimes). See the quotas and limits article for current quotas and which limits can be increased by request.

Can I deploy with more than 4 cores and 16 GB of RAM?

Not yet. Currently, these are the maximums for a container group. Contact Azure Support with specific requirements or requests.

When will ACI be in a specific region?

Current region availability is published here. If you have a requirement for a specific region, contact Azure Support.

Features and scenarios

How do I scale a container group?

Currently, scaling isn't available for containers or container groups. If you need to run more instances, use our API to automate and create more requests for container group creation to the service.

What features are available to instances running in a custom VNet?

You can deploy container groups in an Azure virtual network of your choice, and delegate private IPs to the container groups to route traffic within the VNet across your Azure resources. For networking scenarios and limitations with Azure Container Instances, see Virtual network scenarios and resources.

Does the ACI service reserve ports for service functionality?

Yes, the ACI service does reserve the following ports for service functionality: 22, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 19100, 20000-30000, 49152-65534. Avoid using these ports in your container group definition.

Can you take a dependency on the container group's IP address?

Container group IP addresses are subject to change after being created or deleted. We recommend that your application code doesn't take a dependency on the container group's IP address. We also suggest using NAT Gateway or Application Gateway if you would like to maintain a static IP address.

Pricing

When does the meter start running?

Container group duration is calculated from the time that we start to pull your first container's image (for a new deployment) or your container group is restarted (if already deployed), until the container group is stopped. See details at Container Instances pricing.

Do I stop being charged when my containers are stopped?

Meters stop running once your entire container group is stopped. As long as a container in your container group is running, we hold the resources in case you want to start the containers up again.

Confidential containers on Azure Container Instances

What is Confidential computing and how is it being applied to Azure Container Instances?

Confidential computing is an industry term defined by the Confidential Computing Consortium (CCC) - a foundation dedicated to defining and accelerating the adoption of confidential computing. The CCC defines confidential computing as: The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE). ACI Confidential Containers introduce hardware-based protection, code integrity, and verification of the Trusted Execution Environment (TEE). Confidential containers apply the latest in confidential computing hardware enabling customers to deploy their existing applications without any modifications while taking advantage of the hardware-based data protection. Code integrity, and verification of the TEE are achieved through the attestation of a confidential computing enforcement policy, which is attached to the container group at deployment time. If any of the properties of the container group differ from those of the confidential computing enforcement policy, the environment will fail to launch ensuring that the TEE isn't compromised.

When should I use Confidential containers on Azure Container Instances?

Confidential containers can be used for a wide variety of elastic workloads but are especially a great fit for workloads that require strong data protection guarantees. Some examples of these workloads include machine learning workloads that utilize data sets that include personal data or with algorithms that are considered intellectual property. Healthcare customers can use it for analyzing patient data and researching. Financial services customers may use it for credit analysis risk calculation, and portfolio balancing.

How do I generate a confidential computing enforcement policy?

Confidential computing enforcement policies can be generated using the confcom extension with the Azure CLI. For more information, see confcom extension.

Are there any features that aren't supported on confidential containers on Azure Container Instances?

GPU based ACI container deployments, Windows containers, availability zones, and dedicated instances aren't supported with confidential containers.

What regions are confidential containers on Azure Container Instances available?

Confidential containers on Azure Container Instances are only available in select regions during Public Preview. Current region availability is published here.

Is there an additional cost for confidential container on Azure Container Instances?

Confidential containers on Azure Container Instances do have an additional cost compared to standard SKU container groups. For more information, see pricing page.

Spot containers on Azure Container Instances (Preview)

What are ACI Spot containers?

ACI Spot containers are a new feature that allows customers to run interruptible, containerized workloads on unused Azure capacity at up to 70% discounted prices vs regular-priority ACI containers.

When should I use ACI Spot containers?

ACI Spot containers may be preempted when Azure has insufficient surplus capacity and customers are billed for per-second memory/core usage. With ACI Spot Containers, you can now run your containerized workloads such as batch processing, Monte Carlo simulations, dev/test workloads and parallelizable offline workloads that can tolerate interruptions on Azure at a fraction of the cost of traditional ACI pricing. This offering is targeted at customers who wants to run interruptible workloads with no strict availability requirement.

Are there any features that aren't supported on ACI spot containers?

GPU based ACI container deployments, availability zones, support for ACI deployments with Public IP and ACI deployments behind custom virtual network with Private IP aren't supported with Spot containers.

What is the default quota for ACI Spot containers?

All customers get a default quota of 10 vCPU cores and 10 container groups.

How do I file quota requests for ACI Spot containers?

Customers can file support request to increase capacity for Spot containers by selecting the issue type as "Services and Subscription limits(quotas)" and new quota type as "StandardSpotCores" added for ACI Spot containers offering when you're requested to fill in the requested details.

What regions are ACI Spot containers available?

Azure Container Instances(ACI) Spot containers are only available in select regions during Public Preview. See Resource and region availability for more information.

Is there an additional cost for ACI Spot containers?

ACI Spot containers are offered at discounted price and offer up to a 70% discount on top of regular priority ACI containers. The discounts would vary per month in each region. For more information, see the pricing page.

Next steps