The azure-native:containerinstance:CGProfile resource, part of the Pulumi Azure Native provider, defines reusable container group profiles that specify container images, resource requirements, networking, and optional features like encryption or Kubernetes integration. This guide focuses on four capabilities: volume mounting and diagnostics, Kubernetes extensions, customer-managed encryption, and confidential computing.
Container group profiles reference external infrastructure like storage accounts, Key Vault instances, Log Analytics workspaces, and managed identities. The examples are intentionally small. Combine them with your own networking, registry credentials, and security policies.
Define a profile with volumes and diagnostics
Teams building reusable container configurations often start with a profile that includes volume mounts and Log Analytics integration for observability.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const cgProfile = new azure_native.containerinstance.CGProfile("cgProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
gpu: {
count: 1,
sku: azure_native.containerinstance.GpuSku.K80,
},
memoryInGB: 1.5,
},
},
volumeMounts: [
{
mountPath: "/mnt/volume1",
name: "volume1",
readOnly: false,
},
{
mountPath: "/mnt/volume2",
name: "volume2",
readOnly: false,
},
{
mountPath: "/mnt/volume3",
name: "volume3",
readOnly: true,
},
],
}],
diagnostics: {
logAnalytics: {
logType: azure_native.containerinstance.LogAnalyticsLogType.ContainerInsights,
metadata: {
"pod-uuid": "test-metadata-value",
},
workspaceId: "workspaceid",
workspaceKey: "workspaceKey",
workspaceResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "west us",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
volumes: [
{
azureFile: {
shareName: "shareName",
storageAccountKey: "accountKey",
storageAccountName: "accountName",
},
name: "volume1",
},
{
emptyDir: {},
name: "volume2",
},
{
name: "volume3",
secret: {
secretKey1: "SecretValue1InBase64",
secretKey2: "SecretValue2InBase64",
},
},
],
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
cg_profile = azure_native.containerinstance.CGProfile("cgProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"gpu": {
"count": 1,
"sku": azure_native.containerinstance.GpuSku.K80,
},
"memory_in_gb": 1.5,
},
},
"volume_mounts": [
{
"mount_path": "/mnt/volume1",
"name": "volume1",
"read_only": False,
},
{
"mount_path": "/mnt/volume2",
"name": "volume2",
"read_only": False,
},
{
"mount_path": "/mnt/volume3",
"name": "volume3",
"read_only": True,
},
],
}],
diagnostics={
"log_analytics": {
"log_type": azure_native.containerinstance.LogAnalyticsLogType.CONTAINER_INSIGHTS,
"metadata": {
"pod-uuid": "test-metadata-value",
},
"workspace_id": "workspaceid",
"workspace_key": "workspaceKey",
"workspace_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="west us",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
volumes=[
{
"azure_file": {
"share_name": "shareName",
"storage_account_key": "accountKey",
"storage_account_name": "accountName",
},
"name": "volume1",
},
{
"empty_dir": {},
"name": "volume2",
},
{
"name": "volume3",
"secret": {
"secretKey1": "SecretValue1InBase64",
"secretKey2": "SecretValue2InBase64",
},
},
],
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewCGProfile(ctx, "cgProfile", &containerinstance.CGProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
Gpu: &containerinstance.GpuResourceArgs{
Count: pulumi.Int(1),
Sku: pulumi.String(containerinstance.GpuSkuK80),
},
MemoryInGB: pulumi.Float64(1.5),
},
},
VolumeMounts: containerinstance.VolumeMountArray{
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume1"),
Name: pulumi.String("volume1"),
ReadOnly: pulumi.Bool(false),
},
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume2"),
Name: pulumi.String("volume2"),
ReadOnly: pulumi.Bool(false),
},
&containerinstance.VolumeMountArgs{
MountPath: pulumi.String("/mnt/volume3"),
Name: pulumi.String("volume3"),
ReadOnly: pulumi.Bool(true),
},
},
},
},
Diagnostics: &containerinstance.ContainerGroupDiagnosticsArgs{
LogAnalytics: &containerinstance.LogAnalyticsArgs{
LogType: pulumi.String(containerinstance.LogAnalyticsLogTypeContainerInsights),
Metadata: pulumi.StringMap{
"pod-uuid": pulumi.String("test-metadata-value"),
},
WorkspaceId: pulumi.String("workspaceid"),
WorkspaceKey: pulumi.String("workspaceKey"),
WorkspaceResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace"),
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("west us"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Volumes: containerinstance.VolumeArray{
&containerinstance.VolumeArgs{
AzureFile: &containerinstance.AzureFileVolumeArgs{
ShareName: pulumi.String("shareName"),
StorageAccountKey: pulumi.String("accountKey"),
StorageAccountName: pulumi.String("accountName"),
},
Name: pulumi.String("volume1"),
},
&containerinstance.VolumeArgs{
EmptyDir: pulumi.Any(map[string]interface{}{}),
Name: pulumi.String("volume2"),
},
&containerinstance.VolumeArgs{
Name: pulumi.String("volume3"),
Secret: pulumi.StringMap{
"secretKey1": pulumi.String("SecretValue1InBase64"),
"secretKey2": pulumi.String("SecretValue2InBase64"),
},
},
},
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var cgProfile = new AzureNative.ContainerInstance.CGProfile("cgProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
Gpu = new AzureNative.ContainerInstance.Inputs.GpuResourceArgs
{
Count = 1,
Sku = AzureNative.ContainerInstance.GpuSku.K80,
},
MemoryInGB = 1.5,
},
},
VolumeMounts = new[]
{
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume1",
Name = "volume1",
ReadOnly = false,
},
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume2",
Name = "volume2",
ReadOnly = false,
},
new AzureNative.ContainerInstance.Inputs.VolumeMountArgs
{
MountPath = "/mnt/volume3",
Name = "volume3",
ReadOnly = true,
},
},
},
},
Diagnostics = new AzureNative.ContainerInstance.Inputs.ContainerGroupDiagnosticsArgs
{
LogAnalytics = new AzureNative.ContainerInstance.Inputs.LogAnalyticsArgs
{
LogType = AzureNative.ContainerInstance.LogAnalyticsLogType.ContainerInsights,
Metadata =
{
{ "pod-uuid", "test-metadata-value" },
},
WorkspaceId = "workspaceid",
WorkspaceKey = "workspaceKey",
WorkspaceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace",
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "west us",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Volumes = new[]
{
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
AzureFile = new AzureNative.ContainerInstance.Inputs.AzureFileVolumeArgs
{
ShareName = "shareName",
StorageAccountKey = "accountKey",
StorageAccountName = "accountName",
},
Name = "volume1",
},
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
EmptyDir = null,
Name = "volume2",
},
new AzureNative.ContainerInstance.Inputs.VolumeArgs
{
Name = "volume3",
Secret =
{
{ "secretKey1", "SecretValue1InBase64" },
{ "secretKey2", "SecretValue2InBase64" },
},
},
},
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.CGProfile;
import com.pulumi.azurenative.containerinstance.CGProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.GpuResourceArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerGroupDiagnosticsArgs;
import com.pulumi.azurenative.containerinstance.inputs.LogAnalyticsArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import com.pulumi.azurenative.containerinstance.inputs.VolumeArgs;
import com.pulumi.azurenative.containerinstance.inputs.AzureFileVolumeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cgProfile = new CGProfile("cgProfile", CGProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.gpu(GpuResourceArgs.builder()
.count(1)
.sku("K80")
.build())
.memoryInGB(1.5)
.build())
.build())
.volumeMounts(
VolumeMountArgs.builder()
.mountPath("/mnt/volume1")
.name("volume1")
.readOnly(false)
.build(),
VolumeMountArgs.builder()
.mountPath("/mnt/volume2")
.name("volume2")
.readOnly(false)
.build(),
VolumeMountArgs.builder()
.mountPath("/mnt/volume3")
.name("volume3")
.readOnly(true)
.build())
.build())
.diagnostics(ContainerGroupDiagnosticsArgs.builder()
.logAnalytics(LogAnalyticsArgs.builder()
.logType("ContainerInsights")
.metadata(Map.of("pod-uuid", "test-metadata-value"))
.workspaceId("workspaceid")
.workspaceKey("workspaceKey")
.workspaceResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace")
.build())
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("west us")
.osType("Linux")
.resourceGroupName("demo")
.volumes(
VolumeArgs.builder()
.azureFile(AzureFileVolumeArgs.builder()
.shareName("shareName")
.storageAccountKey("accountKey")
.storageAccountName("accountName")
.build())
.name("volume1")
.build(),
VolumeArgs.builder()
.emptyDir(Map.ofEntries(
))
.name("volume2")
.build(),
VolumeArgs.builder()
.name("volume3")
.secret(Map.ofEntries(
Map.entry("secretKey1", "SecretValue1InBase64"),
Map.entry("secretKey2", "SecretValue2InBase64")
))
.build())
.zones("1")
.build());
}
}
resources:
cgProfile:
type: azure-native:containerinstance:CGProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
gpu:
count: 1
sku: K80
memoryInGB: 1.5
volumeMounts:
- mountPath: /mnt/volume1
name: volume1
readOnly: false
- mountPath: /mnt/volume2
name: volume2
readOnly: false
- mountPath: /mnt/volume3
name: volume3
readOnly: true
diagnostics:
logAnalytics:
logType: ContainerInsights
metadata:
pod-uuid: test-metadata-value
workspaceId: workspaceid
workspaceKey: workspaceKey
workspaceResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/workspace
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Public
location: west us
osType: Linux
resourceGroupName: demo
volumes:
- azureFile:
shareName: shareName
storageAccountKey: accountKey
storageAccountName: accountName
name: volume1
- emptyDir: {}
name: volume2
- name: volume3
secret:
secretKey1: SecretValue1InBase64
secretKey2: SecretValue2InBase64
zones:
- '1'
The volumes array defines storage that containers can mount: Azure Files for persistent shared storage, emptyDir for ephemeral scratch space, and secret volumes for sensitive data. The volumeMounts property in each container maps these volumes to filesystem paths. The diagnostics property sends container logs and metrics to Log Analytics, where workspaceId and workspaceKey authenticate the connection.
Add Kubernetes extensions for cluster integration
Virtual Kubelet scenarios require extensions like kube-proxy to integrate container groups with Kubernetes clusters.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const cgProfile = new azure_native.containerinstance.CGProfile("cgProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
}],
extensions: [
{
extensionType: "kube-proxy",
name: "kube-proxy",
protectedSettings: {
kubeConfig: "<kubeconfig encoded string>",
},
settings: {
clusterCidr: "10.240.0.0/16",
kubeVersion: "v1.9.10",
},
version: "1.0",
},
{
extensionType: "realtime-metrics",
name: "vk-realtime-metrics",
version: "1.0",
},
],
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Private,
},
location: "eastus2",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
cg_profile = azure_native.containerinstance.CGProfile("cgProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
}],
extensions=[
{
"extension_type": "kube-proxy",
"name": "kube-proxy",
"protected_settings": {
"kubeConfig": "<kubeconfig encoded string>",
},
"settings": {
"clusterCidr": "10.240.0.0/16",
"kubeVersion": "v1.9.10",
},
"version": "1.0",
},
{
"extension_type": "realtime-metrics",
"name": "vk-realtime-metrics",
"version": "1.0",
},
],
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PRIVATE,
},
location="eastus2",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewCGProfile(ctx, "cgProfile", &containerinstance.CGProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
},
},
Extensions: containerinstance.DeploymentExtensionSpecArray{
&containerinstance.DeploymentExtensionSpecArgs{
ExtensionType: pulumi.String("kube-proxy"),
Name: pulumi.String("kube-proxy"),
ProtectedSettings: pulumi.Any(map[string]interface{}{
"kubeConfig": "<kubeconfig encoded string>",
}),
Settings: pulumi.Any(map[string]interface{}{
"clusterCidr": "10.240.0.0/16",
"kubeVersion": "v1.9.10",
}),
Version: pulumi.String("1.0"),
},
&containerinstance.DeploymentExtensionSpecArgs{
ExtensionType: pulumi.String("realtime-metrics"),
Name: pulumi.String("vk-realtime-metrics"),
Version: pulumi.String("1.0"),
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePrivate),
},
Location: pulumi.String("eastus2"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var cgProfile = new AzureNative.ContainerInstance.CGProfile("cgProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
},
},
Extensions = new[]
{
new AzureNative.ContainerInstance.Inputs.DeploymentExtensionSpecArgs
{
ExtensionType = "kube-proxy",
Name = "kube-proxy",
ProtectedSettings = new Dictionary<string, object?>
{
["kubeConfig"] = "<kubeconfig encoded string>",
},
Settings = new Dictionary<string, object?>
{
["clusterCidr"] = "10.240.0.0/16",
["kubeVersion"] = "v1.9.10",
},
Version = "1.0",
},
new AzureNative.ContainerInstance.Inputs.DeploymentExtensionSpecArgs
{
ExtensionType = "realtime-metrics",
Name = "vk-realtime-metrics",
Version = "1.0",
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Private,
},
Location = "eastus2",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.CGProfile;
import com.pulumi.azurenative.containerinstance.CGProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.DeploymentExtensionSpecArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cgProfile = new CGProfile("cgProfile", CGProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.build())
.extensions(
DeploymentExtensionSpecArgs.builder()
.extensionType("kube-proxy")
.name("kube-proxy")
.protectedSettings(Map.of("kubeConfig", "<kubeconfig encoded string>"))
.settings(Map.ofEntries(
Map.entry("clusterCidr", "10.240.0.0/16"),
Map.entry("kubeVersion", "v1.9.10")
))
.version("1.0")
.build(),
DeploymentExtensionSpecArgs.builder()
.extensionType("realtime-metrics")
.name("vk-realtime-metrics")
.version("1.0")
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Private")
.build())
.location("eastus2")
.osType("Linux")
.resourceGroupName("demo")
.zones("1")
.build());
}
}
resources:
cgProfile:
type: azure-native:containerinstance:CGProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
memoryInGB: 1.5
extensions:
- extensionType: kube-proxy
name: kube-proxy
protectedSettings:
kubeConfig: <kubeconfig encoded string>
settings:
clusterCidr: 10.240.0.0/16
kubeVersion: v1.9.10
version: '1.0'
- extensionType: realtime-metrics
name: vk-realtime-metrics
version: '1.0'
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Private
location: eastus2
osType: Linux
resourceGroupName: demo
zones:
- '1'
The extensions array adds capabilities beyond standard container execution. Each extension has an extensionType (like “kube-proxy” or “realtime-metrics”), settings for public configuration, and protectedSettings for sensitive data like kubeconfig. Extensions enable container groups to participate in Kubernetes networking and monitoring without running on traditional cluster nodes.
Encrypt container data with Key Vault
Compliance requirements often mandate encryption of container data at rest using customer-managed keys stored in Azure Key Vault.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const cgProfile = new azure_native.containerinstance.CGProfile("cgProfile", {
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "nginx",
name: "demo1",
ports: [{
port: 80,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
}],
encryptionProperties: {
identity: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
keyName: "test-key",
keyVersion: "<key version>",
vaultBaseUrl: "https://testkeyvault.vault.azure.net",
},
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 80,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "eastus2",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
cg_profile = azure_native.containerinstance.CGProfile("cgProfile",
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "nginx",
"name": "demo1",
"ports": [{
"port": 80,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
}],
encryption_properties={
"identity": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
"key_name": "test-key",
"key_version": "<key version>",
"vault_base_url": "https://testkeyvault.vault.azure.net",
},
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 80,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="eastus2",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewCGProfile(ctx, "cgProfile", &containerinstance.CGProfileArgs{
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("nginx"),
Name: pulumi.String("demo1"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(80),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
},
},
EncryptionProperties: &containerinstance.EncryptionPropertiesArgs{
Identity: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity"),
KeyName: pulumi.String("test-key"),
KeyVersion: pulumi.String("<key version>"),
VaultBaseUrl: pulumi.String("https://testkeyvault.vault.azure.net"),
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(80),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("eastus2"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var cgProfile = new AzureNative.ContainerInstance.CGProfile("cgProfile", new()
{
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "nginx",
Name = "demo1",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 80,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
},
},
EncryptionProperties = new AzureNative.ContainerInstance.Inputs.EncryptionPropertiesArgs
{
Identity = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity",
KeyName = "test-key",
KeyVersion = "<key version>",
VaultBaseUrl = "https://testkeyvault.vault.azure.net",
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 80,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "eastus2",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.CGProfile;
import com.pulumi.azurenative.containerinstance.CGProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.EncryptionPropertiesArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cgProfile = new CGProfile("cgProfile", CGProfileArgs.builder()
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("nginx")
.name("demo1")
.ports(ContainerPortArgs.builder()
.port(80)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.build())
.encryptionProperties(EncryptionPropertiesArgs.builder()
.identity("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity")
.keyName("test-key")
.keyVersion("<key version>")
.vaultBaseUrl("https://testkeyvault.vault.azure.net")
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(80)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("eastus2")
.osType("Linux")
.resourceGroupName("demo")
.zones("1")
.build());
}
}
resources:
cgProfile:
type: azure-native:containerinstance:CGProfile
properties:
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: nginx
name: demo1
ports:
- port: 80
resources:
requests:
cpu: 1
memoryInGB: 1.5
encryptionProperties:
identity: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/container-group-identity
keyName: test-key
keyVersion: <key version>
vaultBaseUrl: https://testkeyvault.vault.azure.net
imageRegistryCredentials: []
ipAddress:
ports:
- port: 80
protocol: TCP
type: Public
location: eastus2
osType: Linux
resourceGroupName: demo
zones:
- '1'
The encryptionProperties block configures customer-managed encryption. The vaultBaseUrl and keyName point to your Key Vault key, while identity specifies the managed identity that authenticates to Key Vault. Azure encrypts container data using this key before writing to disk.
Run confidential containers with attestation policies
Confidential computing workloads require hardware-based isolation and attestation policies to verify container integrity before execution.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const cgProfile = new azure_native.containerinstance.CGProfile("cgProfile", {
confidentialComputeProperties: {
ccePolicy: "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
containerGroupProfileName: "demo1",
containers: [{
command: [],
environmentVariables: [],
image: "confiimage",
name: "accdemo",
ports: [{
port: 8000,
}],
resources: {
requests: {
cpu: 1,
memoryInGB: 1.5,
},
},
securityContext: {
capabilities: {
add: ["CAP_NET_ADMIN"],
},
privileged: false,
},
}],
imageRegistryCredentials: [],
ipAddress: {
ports: [{
port: 8000,
protocol: azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
type: azure_native.containerinstance.ContainerGroupIpAddressType.Public,
},
location: "westeurope",
osType: azure_native.containerinstance.OperatingSystemTypes.Linux,
resourceGroupName: "demo",
sku: azure_native.containerinstance.ContainerGroupSku.Confidential,
zones: ["1"],
});
import pulumi
import pulumi_azure_native as azure_native
cg_profile = azure_native.containerinstance.CGProfile("cgProfile",
confidential_compute_properties={
"cce_policy": "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
container_group_profile_name="demo1",
containers=[{
"command": [],
"environment_variables": [],
"image": "confiimage",
"name": "accdemo",
"ports": [{
"port": 8000,
}],
"resources": {
"requests": {
"cpu": 1,
"memory_in_gb": 1.5,
},
},
"security_context": {
"capabilities": {
"add": ["CAP_NET_ADMIN"],
},
"privileged": False,
},
}],
image_registry_credentials=[],
ip_address={
"ports": [{
"port": 8000,
"protocol": azure_native.containerinstance.ContainerGroupNetworkProtocol.TCP,
}],
"type": azure_native.containerinstance.ContainerGroupIpAddressType.PUBLIC,
},
location="westeurope",
os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX,
resource_group_name="demo",
sku=azure_native.containerinstance.ContainerGroupSku.CONFIDENTIAL,
zones=["1"])
package main
import (
containerinstance "github.com/pulumi/pulumi-azure-native-sdk/containerinstance/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerinstance.NewCGProfile(ctx, "cgProfile", &containerinstance.CGProfileArgs{
ConfidentialComputeProperties: &containerinstance.ConfidentialComputePropertiesArgs{
CcePolicy: pulumi.String("eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19"),
},
ContainerGroupProfileName: pulumi.String("demo1"),
Containers: containerinstance.ContainerArray{
&containerinstance.ContainerArgs{
Command: pulumi.StringArray{},
EnvironmentVariables: containerinstance.EnvironmentVariableArray{},
Image: pulumi.String("confiimage"),
Name: pulumi.String("accdemo"),
Ports: containerinstance.ContainerPortArray{
&containerinstance.ContainerPortArgs{
Port: pulumi.Int(8000),
},
},
Resources: &containerinstance.ResourceRequirementsArgs{
Requests: &containerinstance.ResourceRequestsArgs{
Cpu: pulumi.Float64(1),
MemoryInGB: pulumi.Float64(1.5),
},
},
SecurityContext: &containerinstance.SecurityContextDefinitionArgs{
Capabilities: &containerinstance.SecurityContextCapabilitiesDefinitionArgs{
Add: pulumi.StringArray{
pulumi.String("CAP_NET_ADMIN"),
},
},
Privileged: pulumi.Bool(false),
},
},
},
ImageRegistryCredentials: containerinstance.ImageRegistryCredentialArray{},
IpAddress: &containerinstance.IpAddressArgs{
Ports: containerinstance.PortArray{
&containerinstance.PortArgs{
Port: pulumi.Int(8000),
Protocol: pulumi.String(containerinstance.ContainerGroupNetworkProtocolTCP),
},
},
Type: pulumi.String(containerinstance.ContainerGroupIpAddressTypePublic),
},
Location: pulumi.String("westeurope"),
OsType: pulumi.String(containerinstance.OperatingSystemTypesLinux),
ResourceGroupName: pulumi.String("demo"),
Sku: pulumi.String(containerinstance.ContainerGroupSkuConfidential),
Zones: pulumi.StringArray{
pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var cgProfile = new AzureNative.ContainerInstance.CGProfile("cgProfile", new()
{
ConfidentialComputeProperties = new AzureNative.ContainerInstance.Inputs.ConfidentialComputePropertiesArgs
{
CcePolicy = "eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19",
},
ContainerGroupProfileName = "demo1",
Containers = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerArgs
{
Command = new() { },
EnvironmentVariables = new() { },
Image = "confiimage",
Name = "accdemo",
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.ContainerPortArgs
{
Port = 8000,
},
},
Resources = new AzureNative.ContainerInstance.Inputs.ResourceRequirementsArgs
{
Requests = new AzureNative.ContainerInstance.Inputs.ResourceRequestsArgs
{
Cpu = 1,
MemoryInGB = 1.5,
},
},
SecurityContext = new AzureNative.ContainerInstance.Inputs.SecurityContextDefinitionArgs
{
Capabilities = new AzureNative.ContainerInstance.Inputs.SecurityContextCapabilitiesDefinitionArgs
{
Add = new[]
{
"CAP_NET_ADMIN",
},
},
Privileged = false,
},
},
},
ImageRegistryCredentials = new[] {},
IpAddress = new AzureNative.ContainerInstance.Inputs.IpAddressArgs
{
Ports = new[]
{
new AzureNative.ContainerInstance.Inputs.PortArgs
{
Port = 8000,
Protocol = AzureNative.ContainerInstance.ContainerGroupNetworkProtocol.TCP,
},
},
Type = AzureNative.ContainerInstance.ContainerGroupIpAddressType.Public,
},
Location = "westeurope",
OsType = AzureNative.ContainerInstance.OperatingSystemTypes.Linux,
ResourceGroupName = "demo",
Sku = AzureNative.ContainerInstance.ContainerGroupSku.Confidential,
Zones = new[]
{
"1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerinstance.CGProfile;
import com.pulumi.azurenative.containerinstance.CGProfileArgs;
import com.pulumi.azurenative.containerinstance.inputs.ConfidentialComputePropertiesArgs;
import com.pulumi.azurenative.containerinstance.inputs.ContainerArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequirementsArgs;
import com.pulumi.azurenative.containerinstance.inputs.ResourceRequestsArgs;
import com.pulumi.azurenative.containerinstance.inputs.SecurityContextDefinitionArgs;
import com.pulumi.azurenative.containerinstance.inputs.SecurityContextCapabilitiesDefinitionArgs;
import com.pulumi.azurenative.containerinstance.inputs.IpAddressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cgProfile = new CGProfile("cgProfile", CGProfileArgs.builder()
.confidentialComputeProperties(ConfidentialComputePropertiesArgs.builder()
.ccePolicy("eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19")
.build())
.containerGroupProfileName("demo1")
.containers(ContainerArgs.builder()
.command()
.environmentVariables()
.image("confiimage")
.name("accdemo")
.ports(ContainerPortArgs.builder()
.port(8000)
.build())
.resources(ResourceRequirementsArgs.builder()
.requests(ResourceRequestsArgs.builder()
.cpu(1.0)
.memoryInGB(1.5)
.build())
.build())
.securityContext(SecurityContextDefinitionArgs.builder()
.capabilities(SecurityContextCapabilitiesDefinitionArgs.builder()
.add("CAP_NET_ADMIN")
.build())
.privileged(false)
.build())
.build())
.imageRegistryCredentials()
.ipAddress(IpAddressArgs.builder()
.ports(PortArgs.builder()
.port(8000)
.protocol("TCP")
.build())
.type("Public")
.build())
.location("westeurope")
.osType("Linux")
.resourceGroupName("demo")
.sku("Confidential")
.zones("1")
.build());
}
}
resources:
cgProfile:
type: azure-native:containerinstance:CGProfile
properties:
confidentialComputeProperties:
ccePolicy: eyJhbGxvd19hbGwiOiB0cnVlLCAiY29udGFpbmVycyI6IHsibGVuZ3RoIjogMCwgImVsZW1lbnRzIjogbnVsbH19
containerGroupProfileName: demo1
containers:
- command: []
environmentVariables: []
image: confiimage
name: accdemo
ports:
- port: 8000
resources:
requests:
cpu: 1
memoryInGB: 1.5
securityContext:
capabilities:
add:
- CAP_NET_ADMIN
privileged: false
imageRegistryCredentials: []
ipAddress:
ports:
- port: 8000
protocol: TCP
type: Public
location: westeurope
osType: Linux
resourceGroupName: demo
sku: Confidential
zones:
- '1'
The sku property set to “Confidential” enables hardware-based trusted execution environments. The confidentialComputeProperties block includes a ccePolicy (base64-encoded attestation policy) that defines which containers can run and what capabilities they have. The securityContext property controls Linux capabilities like CAP_NET_ADMIN, allowing fine-grained permission management within the secure enclave.
Beyond these examples
These snippets focus on specific container group profile features: volume mounting and diagnostics, Kubernetes extensions, and encryption and confidential computing. They’re intentionally minimal rather than full container deployments.
The examples may reference pre-existing infrastructure such as Azure Files storage accounts, Log Analytics workspaces, Key Vault instances with encryption keys, and managed identities with Key Vault permissions. They focus on configuring the profile rather than provisioning everything around it.
To keep things focused, common profile patterns are omitted, including:
- Private networking and VNet integration (subnetIds)
- Container registry authentication (imageRegistryCredentials)
- Init containers for setup tasks
- Restart policies and priority settings
- GPU resource allocation
These omissions are intentional: the goal is to illustrate how each profile feature is wired, not provide drop-in container modules. See the CGProfile resource reference for all available configuration options.
Let's configure Azure Container Instance Profiles
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration Basics
What are the minimum required properties for a container group profile?
You must specify
containers (array of container definitions) and osType (Linux or Windows). Each container needs image, name, and resources with cpu and memoryInGB.What properties can't I change after creating the profile?
The
containerGroupProfileName and resourceGroupName are immutable. Changes to these require recreating the resource.Security & Confidential Computing
How do I set up a confidential container group?
Set
sku to Confidential and provide a base64-encoded policy in confidentialComputeProperties.ccePolicy.How do I enable encryption for my container group?
Configure encryptionProperties with four required fields:
identity- Managed identity resource IDkeyName- Key Vault key namekeyVersion- Specific key versionvaultBaseUrl- Key Vault URL (e.g., https://testkeyvault.vault.azure.net)
Storage & Volumes
What volume types are available?
Three volume types are supported:
- azureFile - Mount Azure File shares (requires shareName, storageAccountName, storageAccountKey)
- emptyDir - Temporary empty directory
- secret - Store base64-encoded secrets as key-value pairs
Networking
What's the difference between Public and Private IP addresses?
Set
ipAddress.type to Public for internet-accessible containers or Private for internal-only access. Both require defining ports with port numbers and protocols.Monitoring & Advanced Features
How do I set up Log Analytics monitoring?
Configure
diagnostics.logAnalytics with workspaceId, workspaceKey, and workspaceResourceId. Optionally set logType to ContainerInsights for enhanced monitoring.What extensions can I add to my container group?
Extensions like
kube-proxy (Kubernetes integration) and realtime-metrics are available. Configure each with extensionType, name, version, and optional settings or protectedSettings.How do I configure GPU resources?
Add a
gpu object to resources.requests with count (number of GPUs) and sku (e.g., K80).What's the revision property?
The
revision is a computed output field showing the current revision number of your container group profile, automatically calculated by Azure.What are registered revisions?
registeredRevisions is a computed output array calculated at request time based on table log records, tracking the profile’s revision history.