The azure-native:containerinstance:ContainerGroupProfile resource, part of the Pulumi Azure Native provider, defines reusable container group configurations that specify containers, volumes, networking, and security settings. This guide focuses on four capabilities: volume mounting and Log Analytics integration, Kubernetes extensions for virtual kubelet, customer-managed encryption with Key Vault, and confidential computing and spot priority.
Container group profiles reference Azure resource groups, Log Analytics workspaces, storage accounts, Key Vault instances, and managed identities. The examples are intentionally small. Combine them with your own infrastructure and security policies.
Define a profile with volumes and diagnostics
Teams building reusable container configurations often need volume mounts for persistent data and Log Analytics integration for monitoring.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerGroupProfile = new azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
gpu: {
count: 1,
sku: azure_native.containerinstance.GpuSku.K80,
},
memoryInGB: 1.5,
},
},
volumeMounts: [
{
mountPath: "/mnt/volume1",
name: "volume1",
readOnly: false,
},
{
mountPath: "/mnt/volume2",
name: "volume2",
readOnly: false,
},
{
mountPath: "/mnt/volume3",
name: "volume3",
readOnly: true,
},
],
}],
diagnostics: {
logAnalytics: {
logType: azure_native.containerinstance.LogAnalyticsLogType.ContainerInsights,
metadata: {
"pod-uuid": "test-metadata-value",
},
workspaceId: "workspaceid",
workspaceKey: "workspaceKey",
workspaceResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "west us",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
volumes: [
{
azureFile: {
shareName: "shareName",
storageAccountKey: "accountKey",
storageAccountName: "accountName",
},
name: "volume1",
},
{
emptyDir: {},
name: "volume2",
},
{
name: "volume3",
secret: {
secretKey1: "SecretValue1InBase64",
secretKey2: "SecretValue2InBase64",
},
},
],
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
container_group_profile = azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"gpu": {
"count": 1,
"sku": azure_native.containerinstance.GpuSku.K80,
},
"memory_in_gb": 1.5,
},
},
"volume_mounts": [
{
"mount_path": "/mnt/volume1",
"name": "volume1",
"read_only": False,
},
{
"mount_path": "/mnt/volume2",
"name": "volume2",
"read_only": False,
},
{
"mount_path": "/mnt/volume3",
"name": "volume3",
"read_only": True,
},
],
}],
diagnostics={
"log_analytics": {
"log_type": azure_native.containerinstance.LogAnalyticsLogType.CONTAINER_INSIGHTS,
"metadata": {
"pod-uuid": "test-metadata-value",
},
"workspace_id": "workspaceid",
"workspace_key": "workspaceKey",
"workspace_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="west us",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
volumes=[
{
"azure_file": {
"share_name": "shareName",
"storage_account_key": "accountKey",
"storage_account_name": "accountName",
},
"name": "volume1",
},
{
"empty_dir": {},
"name": "volume2",
},
{
"name": "volume3",
"secret": {
"secretKey1": "SecretValue1InBase64",
"secretKey2": "SecretValue2InBase64",
},
},
],
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewContainerGroupProfile(ctx, "containerGroupProfile", &containerinstance.ContainerGroupProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
Gpu: &containerinstance.GpuResourceArgs{
Count: pulumi.Int(1),
Sku: pulumi.String(containerinstance.GpuSkuK80),
},
MemoryInGB: pulumi.Float64(1.5),
},
},
VolumeMounts: containerinstance.VolumeMountArray{
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume1"),
Name: pulumi.String("volume1"),
ReadOnly: pulumi.Bool(false),
},
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume2"),
Name: pulumi.String("volume2"),
ReadOnly: pulumi.Bool(false),
},
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume3"),
Name: pulumi.String("volume3"),
ReadOnly: pulumi.Bool(true),
},
},
},
},
Diagnostics: &containerinstance.ContainerGroupDiagnosticsArgs{
LogAnalytics: &containerinstance.LogAnalyticsArgs{
LogType: pulumi.String(containerinstance.LogAnalyticsLogTypeContainerInsights),
Metadata: pulumi.StringMap{
"pod-uuid": pulumi.String("test-metadata-value"),
},
WorkspaceId: pulumi.String("workspaceid"),
WorkspaceKey: pulumi.String("workspaceKey"),
WorkspaceResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace"),
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("west us"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Volumes: containerinstance.VolumeArray{
&containerinstance.VolumeArgs{
AzureFile: &containerinstance.AzureFileVolumeArgs{
ShareName: pulumi.String("shareName"),
StorageAccountKey: pulumi.String("accountKey"),
StorageAccountName: pulumi.String("accountName"),
},
Name: pulumi.String("volume1"),
},
&containerinstance.VolumeArgs{
EmptyDir: pulumi.Any(map[string]interface{}{}),
Name: pulumi.String("volume2"),
},
&containerinstance.VolumeArgs{
Name: pulumi.String("volume3"),
Secret: pulumi.StringMap{
"secretKey1": pulumi.String("SecretValue1InBase64"),
"secretKey2": pulumi.String("SecretValue2InBase64"),
},
},
},
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerGroupProfile = new AzureNative.ContainerInstance.ContainerGroupProfile("containerGroupProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
Gpu = new AzureNative.ContainerInstance.Inputs.GpuResourceArgs
{
Count = 1,
Sku = AzureNative.ContainerInstance.GpuSku.K80,
},
MemoryInGB = 1.5,
},
},
VolumeMounts = new[]
{
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume1",
Name = "volume1",
ReadOnly = false,
},
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume2",
Name = "volume2",
ReadOnly = false,
},
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume3",
Name = "volume3",
ReadOnly = true,
},
},
},
},
Diagnostics = new AzureNative.ContainerInstance.Inputs.ContainerGroupDiagnosticsArgs
{
LogAnalytics = new AzureNative.ContainerInstance.Inputs.LogAnalyticsArgs
{
LogType = AzureNative.ContainerInstance.LogAnalyticsLogType.ContainerInsights,
Metadata =
{
{ "pod-uuid", "test-metadata-value" },
},
WorkspaceId = "workspaceid",
WorkspaceKey = "workspaceKey",
WorkspaceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "west us",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Volumes = new[]
{
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
AzureFile = new AzureNative.ContainerInstance.Inputs.AzureFileVolumeArgs
{
ShareName = "shareName",
StorageAccountKey = "accountKey",
StorageAccountName = "accountName",
},
Name = "volume1",
},
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
EmptyDir = null,
Name = "volume2",
},
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
Name = "volume3",
Secret =
{
{ "secretKey1", "SecretValue1InBase64" },
{ "secretKey2", "SecretValue2InBase64" },
},
},
},
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfile;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.GpuResourceArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerGroupDiagnosticsArgs;
import com.pulumi.azurenative.containerinstance.inputs.LogAnalyticsArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import com.pulumi.azurenative.containerinstance.inputs.VolumeArgs;
import com.pulumi.azurenative.containerinstance.inputs.AzureFileVolumeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerGroupProfile = new ContainerGroupProfile("containerGroupProfile", ContainerGroupProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.gpu(GpuResourceArgs.builder()
.count(1)
.sku("K80")
.build())
.memoryInGB(1.5)
.build())
.build())
.volumeMounts(
VolumeMountArgs.builder()
.mountPath("/mnt/volume1")
.name("volume1")
.readOnly(false)
.build(),
VolumeMountArgs.builder()
.mountPath("/mnt/volume2")
.name("volume2")
.readOnly(false)
.build(),
VolumeMountArgs.builder()
.mountPath("/mnt/volume3")
.name("volume3")
.readOnly(true)
.build())
.build())
.diagnostics(ContainerGroupDiagnosticsArgs.builder()
.logAnalytics(LogAnalyticsArgs.builder()
.logType("ContainerInsights")
.metadata(Map.of("pod-uuid", "test-metadata-value"))
.workspaceId("workspaceid")
.workspaceKey("workspaceKey")
.workspaceResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace")
.build())
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("west us")
.osType("Linux")
.resourceGroupName("demo")
.volumes(
VolumeArgs.builder()
.azureFile(AzureFileVolumeArgs.builder()
.shareName("shareName")
.storageAccountKey("accountKey")
.storageAccountName("accountName")
.build())
.name("volume1")
.build(),
VolumeArgs.builder()
.emptyDir(Map.ofEntries(
))
.name("volume2")
.build(),
VolumeArgs.builder()
.name("volume3")
.secret(Map.ofEntries(
Map.entry("secretKey1", "SecretValue1InBase64"),
Map.entry("secretKey2", "SecretValue2InBase64")
))
.build())
.zones("1")
.build());
}
}
resources:
containerGroupProfile:
type: azure-native:containerinstance:ContainerGroupProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
gpu:
count: 1
sku: K80
memoryInGB: 1.5
volumeMounts:
- mountPath: /mnt/volume1
name: volume1
readOnly: false
- mountPath: /mnt/volume2
name: volume2
readOnly: false
- mountPath: /mnt/volume3
name: volume3
readOnly: true
diagnostics:
logAnalytics:
logType: ContainerInsights
metadata:
pod-uuid: test-metadata-value
workspaceId: workspaceid
workspaceKey: workspaceKey
workspaceResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Public
location: west us
osType: Linux
resourceGroupName: demo
volumes:
- azureFile:
shareName: shareName
storageAccountKey: accountKey
storageAccountName: accountName
name: volume1
- emptyDir: {}
name: volume2
- name: volume3
secret:
secretKey1: SecretValue1InBase64
secretKey2: SecretValue2InBase64
zones:
- '1'
The volumes array defines three volume types: Azure Files for shared storage, empty directories for temporary data, and secrets for sensitive configuration. Each container references these volumes through volumeMounts, specifying mount paths and read-only flags. The diagnostics property connects to Log Analytics, sending container logs and metrics to the specified workspace. The logType determines whether to collect standard logs or Container Insights telemetry.
Add Kubernetes extensions for virtual kubelet
Virtual kubelet deployments require extensions like kube-proxy and realtime-metrics to integrate container groups with Kubernetes clusters.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerGroupProfile = new azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
}],
extensions: [
{
extensionType: "kube-proxy",
name: "kube-proxy",
protectedSettings: {
kubeConfig: "<kubeconfig encoded string>",
},
settings: {
clusterCidr: "10.240.0.0/16",
kubeVersion: "v1.9.10",
},
version: "1.0",
},
{
extensionType: "realtime-metrics",
name: "vk-realtime-metrics",
version: "1.0",
},
],
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Private,
},
location: "eastus2",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
container_group_profile = azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
}],
extensions=[
{
"extension_type": "kube-proxy",
"name": "kube-proxy",
"protected_settings": {
"kubeConfig": "<kubeconfig encoded string>",
},
"settings": {
"clusterCidr": "10.240.0.0/16",
"kubeVersion": "v1.9.10",
},
"version": "1.0",
},
{
"extension_type": "realtime-metrics",
"name": "vk-realtime-metrics",
"version": "1.0",
},
],
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PRIVATE,
},
location="eastus2",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewContainerGroupProfile(ctx, "containerGroupProfile", &containerinstance.ContainerGroupProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
},
},
Extensions: containerinstance.DeploymentExtensionSpecArray{
&containerinstance.DeploymentExtensionSpecArgs{
ExtensionType: pulumi.String("kube-proxy"),
Name: pulumi.String("kube-proxy"),
ProtectedSettings: pulumi.Any(map[string]interface{}{
"kubeConfig": "<kubeconfig encoded string>",
}),
Settings: pulumi.Any(map[string]interface{}{
"clusterCidr": "10.240.0.0/16",
"kubeVersion": "v1.9.10",
}),
Version: pulumi.String("1.0"),
},
&containerinstance.DeploymentExtensionSpecArgs{
ExtensionType: pulumi.String("realtime-metrics"),
Name: pulumi.String("vk-realtime-metrics"),
Version: pulumi.String("1.0"),
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePrivate),
},
Location: pulumi.String("eastus2"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerGroupProfile = new AzureNative.ContainerInstance.ContainerGroupProfile("containerGroupProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
},
},
Extensions = new[]
{
new AzureNative.ContainerInstance.Inputs.DeploymentExtensionSpecArgs
{
ExtensionType = "kube-proxy",
Name = "kube-proxy",
ProtectedSettings = new Dictionary<string, object?>
{
["kubeConfig"] = "<kubeconfig encoded string>",
},
Settings = new Dictionary<string, object?>
{
["clusterCidr"] = "10.240.0.0/16",
["kubeVersion"] = "v1.9.10",
},
Version = "1.0",
},
new AzureNative.ContainerInstance.Inputs.DeploymentExtensionSpecArgs
{
ExtensionType = "realtime-metrics",
Name = "vk-realtime-metrics",
Version = "1.0",
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Private,
},
Location = "eastus2",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfile;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.DeploymentExtensionSpecArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerGroupProfile = new ContainerGroupProfile("containerGroupProfile", ContainerGroupProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.build())
.extensions(
DeploymentExtensionSpecArgs.builder()
.extensionType("kube-proxy")
.name("kube-proxy")
.protectedSettings(Map.of("kubeConfig", "<kubeconfig encoded string>"))
.settings(Map.ofEntries(
Map.entry("clusterCidr", "10.240.0.0/16"),
Map.entry("kubeVersion", "v1.9.10")
))
.version("1.0")
.build(),
DeploymentExtensionSpecArgs.builder()
.extensionType("realtime-metrics")
.name("vk-realtime-metrics")
.version("1.0")
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Private")
.build())
.location("eastus2")
.osType("Linux")
.resourceGroupName("demo")
.zones("1")
.build());
}
}
resources:
containerGroupProfile:
type: azure-native:containerinstance:ContainerGroupProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
memoryInGB: 1.5
extensions:
- extensionType: kube-proxy
name: kube-proxy
protectedSettings:
kubeConfig: <kubeconfig encoded string>
settings:
clusterCidr: 10.240.0.0/16
kubeVersion: v1.9.10
version: '1.0'
- extensionType: realtime-metrics
name: vk-realtime-metrics
version: '1.0'
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Private
location: eastus2
osType: Linux
resourceGroupName: demo
zones:
- '1'
The extensions array defines deployment extensions that run alongside your containers. Each extension has an extensionType (like “kube-proxy” or “realtime-metrics”), a version, and optional settings. The kube-proxy extension uses settings for cluster configuration and protectedSettings for the base64-encoded kubeconfig. These extensions enable container groups to participate in Kubernetes networking and monitoring.
Encrypt container data with Azure Key Vault
Compliance requirements often mandate encryption of container data at rest using customer-managed keys stored in Azure Key Vault.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerGroupProfile = new azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
}],
encryptionProperties: {
identity: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
keyName: "test-key",
keyVersion: "<key version>",
vaultBaseUrl: "https://testkeyvault.vault.azure.net",
},
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "eastus2",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
container_group_profile = azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
}],
encryption_properties={
"identity": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
"key_name": "test-key",
"key_version": "<key version>",
"vault_base_url": "https://testkeyvault.vault.azure.net",
},
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="eastus2",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewContainerGroupProfile(ctx, "containerGroupProfile", &containerinstance.ContainerGroupProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
},
},
EncryptionProperties: &containerinstance.EncryptionPropertiesArgs{
Identity: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity"),
KeyName: pulumi.String("test-key"),
KeyVersion: pulumi.String("<key version>"),
VaultBaseUrl: pulumi.String("https://testkeyvault.vault.azure.net"),
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("eastus2"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerGroupProfile = new AzureNative.ContainerInstance.ContainerGroupProfile("containerGroupProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
},
},
EncryptionProperties = new AzureNative.ContainerInstance.Inputs.EncryptionPropertiesArgs
{
Identity = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
KeyName = "test-key",
KeyVersion = "<key version>",
VaultBaseUrl = "https://testkeyvault.vault.azure.net",
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "eastus2",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfile;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.EncryptionPropertiesArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerGroupProfile = new ContainerGroupProfile("containerGroupProfile", ContainerGroupProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.build())
.encryptionProperties(EncryptionPropertiesArgs.builder()
.identity("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity")
.keyName("test-key")
.keyVersion("<key version>")
.vaultBaseUrl("https://testkeyvault.vault.azure.net")
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("eastus2")
.osType("Linux")
.resourceGroupName("demo")
.zones("1")
.build());
}
}
resources:
containerGroupProfile:
type: azure-native:containerinstance:ContainerGroupProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
memoryInGB: 1.5
encryptionProperties:
identity: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity
keyName: test-key
keyVersion: <key version>
vaultBaseUrl: https://testkeyvault.vault.azure.net
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Public
location: eastus2
osType: Linux
resourceGroupName: demo
zones:
- '1'
The encryptionProperties block configures customer-managed encryption. The vaultBaseUrl points to your Key Vault instance, keyName identifies the encryption key, and keyVersion pins to a specific key version. The identity property references a user-assigned managed identity that must have permissions to access the Key Vault key. Azure uses this key to encrypt container data at rest.
Run confidential containers with hardware isolation
Workloads processing sensitive data can use confidential computing to ensure containers run in hardware-isolated enclaves with attestation policies.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerGroupProfile = new azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile", {
confidentialComputeProperties: {
ccePolicy: "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "confiimage",
name: "accdemo",
ports: [{
port: 8000,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
securityContext: {
capabilities: {
add: ["CAP_NET_ADMIN"],
},
privileged: false,
},
}],
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 8000,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "westeurope",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
sku: azure_native.containerinstance.ContainerGroupSku.Confidential,
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
container_group_profile = azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile",
confidential_compute_properties={
"cce_policy": "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "confiimage",
"name": "accdemo",
"ports": [{
"port": 8000,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
"security_context": {
"capabilities": {
"add": ["CAP_NET_ADMIN"],
},
"privileged": False,
},
}],
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 8000,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="westeurope",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
sku=azure_native.containerinstance.ContainerGroupSku.CONFIDENTIAL,
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewContainerGroupProfile(ctx, "containerGroupProfile", &containerinstance.ContainerGroupProfileArgs{
ConfidentialComputeProperties: &containerinstance.ConfidentialComputePropertiesArgs{
CcePolicy: pulumi.String("eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19"),
},
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("confiimage"),
Name: pulumi.String("accdemo"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(8000),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
SecurityContext: &containerinstance.SecurityContextDefinitionArgs{
Capabilities: &containerinstance.SecurityContextCapabilitiesDefinitionArgs{
Add: pulumi.StringArray{
pulumi.String("CAP_NET_ADMIN"),
},
},
Privileged: pulumi.Bool(false),
},
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(8000),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("westeurope"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Sku: pulumi.String(containerinstance.ContainerGroupSkuConfidential),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerGroupProfile = new AzureNative.ContainerInstance.ContainerGroupProfile("containerGroupProfile", new()
{
ConfidentialComputeProperties = new AzureNative.ContainerInstance.Inputs.ConfidentialComputePropertiesArgs
{
CcePolicy = "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "confiimage",
Name = "accdemo",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 8000,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
SecurityContext = new AzureNative.ContainerInstance.Inputs.SecurityContextDefinitionArgs
{
Capabilities = new AzureNative.ContainerInstance.Inputs.SecurityContextCapabilitiesDefinitionArgs
{
Add = new[]
{
"CAP_NET_ADMIN",
},
},
Privileged = false,
},
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 8000,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "westeurope",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Sku = AzureNative.ContainerInstance.ContainerGroupSku.Confidential,
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfile;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ConfidentialComputePropertiesArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.SecurityContextDefinitionArgs;
import com.pulumi.azurenative.containerinstance.inputs.SecurityContextCapabilitiesDefinitionArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerGroupProfile = new ContainerGroupProfile("containerGroupProfile", ContainerGroupProfileArgs.builder()
.confidentialComputeProperties(ConfidentialComputePropertiesArgs.builder()
.ccePolicy("eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19")
.build())
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("confiimage")
.name("accdemo")
.ports(ContainerPortArgs.builder()
.port(8000)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.securityContext(SecurityContextDefinitionArgs.builder()
.capabilities(SecurityContextCapabilitiesDefinitionArgs.builder()
.add("CAP_NET_ADMIN")
.build())
.privileged(false)
.build())
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(8000)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("westeurope")
.osType("Linux")
.resourceGroupName("demo")
.sku("Confidential")
.zones("1")
.build());
}
}
resources:
containerGroupProfile:
type: azure-native:containerinstance:ContainerGroupProfile
properties:
confidentialComputeProperties:
ccePolicy: eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: confiimage
name: accdemo
ports:
- port: 8000
resources:
requests:
cpu: 1
memoryInGB: 1.5
securityContext:
capabilities:
add:
- CAP_NET_ADMIN
privileged: false
imageRegistryCredentials: []
ipAddress:
ports:
- port: 8000
protocol: TCP
type: Public
location: westeurope
osType: Linux
resourceGroupName: demo
sku: Confidential
zones:
- '1'
The sku property set to “Confidential” enables hardware-based isolation. The confidentialComputeProperties block includes a ccePolicy (Confidential Container Enforcement policy) as a base64-encoded string that defines what containers can run and what capabilities they have. The securityContext on each container specifies Linux capabilities and privilege settings. This configuration ensures containers run in trusted execution environments with attestation.
Use spot priority for cost-optimized workloads
Batch jobs and fault-tolerant workloads can reduce costs by running on spot-priority container groups that may be preempted when capacity is needed elsewhere.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerGroupProfile = new azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [
"/bin/sh",
"-c",
"sleep 10",
],
image: "alpine:latest",
name: "test-container-001",
resources: {
requests: {
cpu: 1,
memoryInGB: 1,
},
},
}],
location: "eastus",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
priority: azure_native.containerinstance.ContainerGroupPriority.Spot,
resourceGroupName: "demo",
restartPolicy: azure_native.containerinstance.ContainerGroupRestartPolicy.Never,
sku: azure_native.containerinstance.ContainerGroupSku.Standard,
});
import pulumi
import pulumi_azure_native as azure_native
container_group_profile = azure_native.containerinstance.ContainerGroupProfile("containerGroupProfile",
container_group_profile_name="demo1",
containers=[{
"command": [
"/bin/sh",
"-c",
"sleep 10",
],
"image": "alpine:latest",
"name": "test-container-001",
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1,
},
},
}],
location="eastus",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
priority=azure_native.containerinstance.ContainerGroupPriority.SPOT,
resource_group_name="demo",
restart_policy=azure_native.containerinstance.ContainerGroupRestartPolicy.NEVER,
sku=azure_native.containerinstance.ContainerGroupSku.STANDARD)
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewContainerGroupProfile(ctx, "containerGroupProfile", &containerinstance.ContainerGroupProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{
pulumi.String("/bin/sh"),
pulumi.String("-c"),
pulumi.String("sleep 10"),
},
Image: pulumi.String("alpine:latest"),
Name: pulumi.String("test-container-001"),
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1),
},
},
},
},
Location: pulumi.String("eastus"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
Priority: pulumi.String(containerinstance.ContainerGroupPrioritySpot),
ResourceGroupName: pulumi.String("demo"),
RestartPolicy: pulumi.String(containerinstance.ContainerGroupRestartPolicyNever),
Sku: pulumi.String(containerinstance.ContainerGroupSkuStandard),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerGroupProfile = new AzureNative.ContainerInstance.ContainerGroupProfile("containerGroupProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new[]
{
"/bin/sh",
"-c",
"sleep 10",
},
Image = "alpine:latest",
Name = "test-container-001",
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1,
},
},
},
},
Location = "eastus",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
Priority = AzureNative.ContainerInstance.ContainerGroupPriority.Spot,
ResourceGroupName = "demo",
RestartPolicy = AzureNative.ContainerInstance.ContainerGroupRestartPolicy.Never,
Sku = AzureNative.ContainerInstance.ContainerGroupSku.Standard,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfile;
import com.pulumi.azurenative.containerinstance.ContainerGroupProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerGroupProfile = new ContainerGroupProfile("containerGroupProfile", ContainerGroupProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command(
"/bin/sh",
"-c",
"sleep 10")
.image("alpine:latest")
.name("test-container-001")
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.0)
.build())
.build())
.build())
.location("eastus")
.osType("Linux")
.priority("Spot")
.resourceGroupName("demo")
.restartPolicy("Never")
.sku("Standard")
.build());
}
}
resources:
containerGroupProfile:
type: azure-native:containerinstance:ContainerGroupProfile
properties:
containerGroupProfileName: demo1
containers:
- command:
- /bin/sh
- -c
- sleep 10
image: alpine:latest
name: test-container-001
resources:
requests:
cpu: 1
memoryInGB: 1
location: eastus
osType: Linux
priority: Spot
resourceGroupName: demo
restartPolicy: Never
sku: Standard
The priority property set to “Spot” requests lower-cost capacity that Azure can reclaim when needed. The restartPolicy set to “Never” ensures containers don’t restart after completion or preemption. Spot priority works best for interruptible workloads like batch processing, testing, or development environments where occasional preemption is acceptable.
Beyond these examples
These snippets focus on specific container group profile features: volume mounting and diagnostics, Kubernetes extensions and encryption, and confidential computing and spot priority. They’re intentionally minimal rather than full container deployments.
The examples may reference pre-existing infrastructure such as Azure resource groups, Log Analytics workspaces, Azure Files storage accounts and shares, Key Vault instances with encryption keys, and managed identities with appropriate permissions. They focus on configuring the profile rather than provisioning everything around it.
To keep things focused, common container group patterns are omitted, including:
- Private networking and VNet integration (subnetIds)
- Container registry authentication (imageRegistryCredentials)
- Init containers for setup tasks
- GPU resource allocation
- DNS configuration and custom domain names
- Liveness and readiness probes
These omissions are intentional: the goal is to illustrate how each profile feature is wired, not provide drop-in container modules. See the ContainerGroupProfile resource reference for all available configuration options.
Let's configure Azure Container Group Profiles
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Lifecycle
What properties can't I change after creating a container group profile?
The
containerGroupProfileName and resourceGroupName are immutable after creation. Changing these requires recreating the resource.What restart policies are available for containers?
Three options:
Always (always restart), OnFailure (restart on failure), or Never (never restart).What's the revision property used for?
The
revision property is a read-only output showing the current revision number of the container group profile.Security & Confidential Computing
What's the difference between Standard and Confidential SKUs?
Standard is for regular workloads, while Confidential enables hardware-based confidential computing with isolation. Confidential SKU requires configuring confidentialComputeProperties.How do I enable confidential computing?
Set
sku to Confidential and configure confidentialComputeProperties with a ccePolicy (base64-encoded policy string).How do I encrypt container data with Key Vault?
Configure
encryptionProperties with identity (managed identity resource ID), keyName, keyVersion, and vaultBaseUrl pointing to your Key Vault.Can I add Linux capabilities to containers?
Yes, use
securityContext.capabilities.add to add capabilities like CAP_NET_ADMIN. Set privileged to false for non-privileged containers.Storage & Volumes
What volume types can I mount in containers?
Three types are supported:
- azureFile - Mount an Azure Files share (requires
shareName,storageAccountName,storageAccountKey) - emptyDir - Temporary directory that exists for the container group’s lifetime
- secret - Key-value pairs with base64-encoded values
How do I mount volumes as read-only?
Set
readOnly to true in the volumeMounts configuration for each container.Networking & IP Configuration
What IP address types are available?
Two types:
Public (publicly accessible IP) and Private (private IP within a virtual network).How do I configure container ports?
Define ports in two places: container-level
ports (which ports the container exposes) and ipAddress.ports (which ports are exposed externally with protocol like TCP).Extensions & Monitoring
What extensions can I add to container groups?
Extensions like
kube-proxy (for Kubernetes integration) and realtime-metrics (for monitoring) can be added via the extensions array with extensionType, name, and version.How do I integrate with Azure Log Analytics?
Configure
diagnostics.logAnalytics with workspaceId, workspaceKey, workspaceResourceId, and optionally logType (e.g., ContainerInsights) and custom metadata.Cost & Priority
Can I use Spot priority for cost savings?
Yes, set
priority to Spot for lower-cost, interruptible workloads. Combine with restartPolicy: Never for batch jobs.