Skip to content
English
Customer ticket portal
  • There are no suggestions because the search field is empty.

Azure Container Apps

Arpio replicates Azure Container Apps and their related resources — Container Apps Environments, Container Apps Jobs, authentication configurations, and certificates — enabling containerized and serverless workloads to be restored in recovery environments.

Container Apps Environment

Arpio replicates Container Apps Environments (Microsoft.App/managedEnvironments) with their VNet integration, Dapr, Log Analytics, and KEDA configurations, and custom domain certificates configuration. The environment provides the shared compute, networking, and observability surface that Container Apps and Jobs run on.

Translated Attributes

The following attributes are translated during replication:

Attribute Translation Method
Infrastructure Subnet Reference translated to recovery subnet
Custom Domain Certificate Key Vault URL Translated to recovery Key Vault certificate
Custom Domain Certificate Key Vault Identity Translated to recovery Key Vault certificate user-assigned identity (or retained if "system")
Log Analytics Workspace (customerId) Reference translated to recovery Log Analytics workspace; the workspace shared key is fetched from the target and injected at recovery time

Automatic Dependency Selection

The following resources are automatically selected into recovery points when a Container Apps Environment is selected:

  • Infrastructure subnet used for VNet integration
  • Key Vault certificate used for the custom domain (if configured)
  • User-assigned identity used to access the Key Vault certificate
  • Log Analytics workspace referenced by appLogsConfiguration (if configured)

Limitations

  • Application Insights connections are not yet replicated — the destination referenced by daprAIConnectionString is not translated, and the recovery environment will not have a Dapr Application Insights connection configured. The connection string must be reconfigured manually after recovery.
  • The environment's default domain, static IP, and custom domain verification ID are assigned by Azure and will differ in recovery.

Container App

Arpio replicates Container Apps (Microsoft.App/containerApps) with their revision template, ingress, scale rules, secrets, registry credentials, identity settings, service binds, and custom domain bindings.

Both inline secrets and Key Vault-backed secrets are supported. Container image references are translated to point at the recovery container registry, and identity references throughout the configuration (registries, secrets, scale rules, identity settings) are translated to recovery user-assigned identities. The literal value "system" is retained as-is so apps that use their system-assigned identity continue to work in recovery.

Translated Attributes

The following attributes are translated during replication:

Attribute Translation Method
Environment ID (environmentId / managedEnvironmentId) Reference translated to recovery Container Apps Environment
Custom Domain Certificate ID Translated to recovery Container App Certificate or Managed Certificate
Registry Identity Translated to recovery user-assigned identity (or retained if "system")
Registry Server Reference translated to recovery Container Registry login server (external registries are retained)
Identity Settings Translated to recovery user-assigned identities (or retained if "system")
Secret Key Vault URLs Translated to recovery Key Vault secrets
Secret Identity Translated to recovery user-assigned identity (or retained if "system")
Service Binds (serviceId) Reference translated to recovery service
Scale Rule Identities (custom, azureQueue, http, tcp) Translated to recovery user-assigned identities (or retained if "system")
Container Images Image references translated to recovery container registry
Container Environment Variables Resource identifiers embedded in environment variable values (for example, an Azure Database for PostgreSQL host name) are detected and translated to point at the recovery resource
Custom Domain Hostnames (recovery test only) A -dr suffix is appended to the most significant label

Automatic Dependency Selection

The following resources are automatically selected into recovery points when a Container App is selected:

  • Container Apps Environment hosting the app
  • User-assigned identities referenced by registries, secrets, scale rules, and identity settings
  • Container Registries, repositories, and images referenced by the app
  • Key Vault secrets referenced by the app's secret store
  • Container App Certificates and Managed Certificates bound to custom domains
  • Services referenced via service binds
  • Resources referenced by identifiers embedded in container environment variable values

Recovery Test Behavior

During recovery tests of a Container App that has custom domains, each hostname has -dr appended to its leftmost (most significant) label — for example, app.example.com becomes app-dr.example.com. This lets the recovery instance be tested independently without conflicting with the custom domains in use by the primary app. You will need DNS records pointing the -dr hostnames at the recovery environment for the bindings (and any associated managed certificates) to validate successfully.

Custom Domain Recovery

During recovery and recovery tests, Container Apps that have custom domains are restored in two stages:

  1. The app is created first, without its custom domains. If domain validation later fails for any reason, the recovered Container App will still be running — but reachable only through its default Azure-assigned hostname. The custom domain bindings remain absent until the underlying validation issues are resolved and the failover is resumed.
  2. The custom domains are bound after creation. The behavior at this stage depends on the certificate type:
    • Key Vault-backed certificates (Microsoft.App/managedEnvironments/certificates sourced from Key Vault) are created before the Container App, so the binding succeeds as soon as the app is configured.
    • Azure-managed certificates (Microsoft.App/managedEnvironments/managedCertificates) depend on the Container App for DNS validation, so they are provisioned after the app is created. While the managed certificate is being issued — and until every managed certificate the app depends on is successfully issued and the failover is resumed — the custom domains will have TLS disabled.

!!! tip "Prefer Key Vault-backed certificates" Because Azure-managed certificates require extra DNS validation steps and leave custom domains with TLS disabled until issuance completes, we recommend using self-managed certificates stored in Key Vault (Microsoft.App/managedEnvironments/certificates with certificateKeyVaultProperties) for any custom domain whose availability or TLS posture matters during recovery.

Limitations

  • The container app's FQDN, outbound IP addresses, latest revision name/FQDN, event stream endpoint, and custom domain verification ID are assigned by Azure and will differ in recovery.

Container App Authentication Config

Arpio replicates Container App authentication configurations (Microsoft.App/containerApps/authConfigs) as child resources of their parent Container App. Authentication configs are discovered automatically when a Container App is included in a recovery point and do not need to be selected separately.

Container App Certificate

Arpio replicates Container App Certificates (Microsoft.App/managedEnvironments/certificates) that are sourced from Key Vault. The certificate is recreated in the recovery environment by referencing the translated Key Vault URL and the user-assigned identity used to read it.

Translated Attributes

The following attributes are translated during replication:

Attribute Translation Method
Certificate Key Vault URL Translated to recovery Key Vault certificate secret
Certificate Key Vault Identity Translated to recovery user-assigned identity (or retained if "system")

Automatic Dependency Selection

The following resources are automatically selected into recovery points when a Container App Certificate is selected:

  • Key Vault certificate referenced by the certificate
  • User-assigned identity used to read the Key Vault certificate

Limitations

  • Uploaded PFX certificates are not supported. Azure accepts the PFX blob on creation but never returns it on subsequent reads, so there is nothing to replicate. PFX-backed managed environment certificates are skipped during replication and must be manually re-uploaded after recovery. Use Key Vault-backed certificates if you need them recovered automatically.

Container App Managed Certificate

Arpio replicates Container App Managed Certificates (Microsoft.App/managedEnvironments/managedCertificates), which are free, Azure-managed certificates issued for a custom domain bound to a Container App. Because managed certificate issuance requires the Container App to respond to DNS validation, managed certificates are provisioned after their associated Container Apps in the recovery environment.

Translated Attributes

The following attributes are translated during replication:

Attribute Translation Method
Subject Name (recovery test only) A -dr suffix is appended to the most significant label of the domain

Automatic Dependency Selection

The following resources are automatically selected into recovery points when a Container App Managed Certificate is selected:

  • Container Apps that have a custom domain matching the certificate's subjectName

Limitations

  • DNS validation is required — recovery requires the custom domain's DNS records to point at the recovery Container App's environment so Azure can validate domain ownership and issue the certificate. Update the relevant CNAME or A/TXT records before or during recovery.
  • During recovery tests, the certificate's subject name is rewritten with a -dr suffix to match the recovery app's hostname; you will need a corresponding DNS record for the -dr hostname for issuance to succeed.
  • While a managed certificate is awaiting issuance, the custom domain bound to it will have TLS disabled. See Custom Domain Recovery for the full sequence.

Container Apps Job

Arpio replicates Container Apps Jobs (Microsoft.App/jobs) with their job configuration, template, secrets, registry credentials, identity settings, and event-driven scale rules.

Translated Attributes

The following attributes are translated during replication:

Attribute Translation Method
Environment ID Reference translated to recovery Container Apps Environment
Registry Identity Translated to recovery user-assigned identity (or retained if "system")
Registry Server Reference translated to recovery Container Registry login server (external registries are retained)
Identity Settings Translated to recovery user-assigned identities (or retained if "system")
Secret Key Vault URLs Translated to recovery Key Vault secrets
Secret Identity Translated to recovery user-assigned identity (or retained if "system")
Event Trigger Scale Rule Identities Translated to recovery user-assigned identities (or retained if "system")
Container Images Image references translated to recovery container registry
Container Environment Variables Resource identifiers embedded in environment variable values (for example, an Azure Database for PostgreSQL host name) are detected and translated to point at the recovery resource

Automatic Dependency Selection

The following resources are automatically selected into recovery points when a Container Apps Job is selected:

  • Container Apps Environment hosting the job
  • User-assigned identities referenced by registries, secrets, scale rules, and identity settings
  • Container Registries, repositories, and images referenced by the job
  • Key Vault secrets referenced by the job's secret store
  • Resources referenced by identifiers embedded in container environment variable values

Limitations

  • The job's outbound IP addresses and event stream endpoint are assigned by Azure and will differ in recovery.

Unsupported Resources

The following Container Apps resources are not yet replicated by Arpio and must be handled manually after recovery if your workload depends on them:

  • Managed environment Application Insights (daprAIConnectionString on Microsoft.App/managedEnvironments) — the Dapr Application Insights connection string must be reconfigured manually after recovery.
  • Managed environment PFX certificates (Microsoft.App/managedEnvironments/certificates with an uploaded PFX blob) — must be re-uploaded manually. Use Key Vault-backed certificates instead for automatic recovery.
  • Session Pools (Microsoft.App/sessionPools) — any Container App that depends on a session pool must have the pool recreated manually in the recovery environment.