How does Azure Container Apps (ACA) compare to Azure Kubernetes Service (AKS)?
    • Dark
      Light
    • PDF

    How does Azure Container Apps (ACA) compare to Azure Kubernetes Service (AKS)?

    • Dark
      Light
    • PDF

    Article summary

    #ServerlessTips - Azure Container Apps
    Author: Stephane Eyskens Azure MVP

    With the rise of container technologies and services, it is sometimes hard to find our way. How does the last-born service ACA compare with AKS? Below is a table that summarizes some key aspects:

    AKSACA
    OperationsHigh. Frequent cluster upgrades & node pool upgrades)+customer-hosted ecosystem solutionsLow
    Network - externalFull support of UDR and NSGAt this stage, not a full integration yet (partial support of UDR)
    Network - InternalBuilt-in K8s network policies and various ecosystem solutions (Calico)No network segregation is possible between apps hosted in the same environment
    Compute granularityVery high. Each node pool can be linked to a specific VM family size and labeled with tags, which we can use to schedule pods accordinglyBundles of RAM & CPU combined ranging from 0.25 CPU/0.5GB to 2CPU/4GB
    High availabilityYes, with zone-redundant node poolsYes, with zone-redundant environments
    Disaster RecoveryNo built-in feature. Can be achieved with multiple clusters spread over various regionsNo built-in feature. Can be achieved with multiple environments spread over various regions
    AutoscalingYes, with node pool level autoscalingYes, Automatic
    Basic workload autoscalingYes, with HPAsYes, with scaling rules
    Advanced workload autoscalingYes, when installing ecosystem solutions such as KEDAYes, built-in thanks to advanced rules (KEDA)
    Service discoveryYes, when installing ecosystem solutions such as DaprYes, built-in, thanks to Dapr
    Use CasesVirtually anythingMicroservices, Event-driven applications, Jobs (if not too resource-intensive)
    ComplexityHighLow
    Hosting PlatformYesNo, or closely related assets
    Security Posture - PolicyHigh. Two built-in restrictive initiatives and gatekeeper as an admission controllerLow, a few policies to control the config of the apps themselves but not the containers running inside
    Security Posture – Running containersHigh, thanks to Defender for ContainersNothing at this stage
    Security – Managed IdentitiesFull support of managed identities, including using the cluster's identity to pull container images from ACRFull support of managed identities, including using the ACA's identity to pull container images from ACR
    Security – Workload IdentitiesYes.No
    Security – Workload Authn & AuthzNothing out of the box. You can offload authn & authz to specific solutions such as Service Meshes.Yes, built-in integration with Azure Active Directory, Google, Facebook, and Twitter.
    Security – Secret ManagementStrong. CSI driver support for Azure Key VaultWeak, built-in secret management but no integration with Key Vault or other secret stores
    MonitoringHigh. Container Insights and many Azure Monitor metrics are availableMedium. No metric for Azure Container Environment in Azure Monitor. A few metrics are available for container apps. Logs are available in Log Analytics.

    Of course, this list is highly subject to change, so I encourage you to double-check the latest updates for each service. However, you can take this as an attention point when choosing one solution over the other.


    Was this article helpful?

    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence