How does Azure Container Apps (ACA) compare to Azure Kubernetes Service (AKS)?
- Print
- DarkLight
- PDF
How does Azure Container Apps (ACA) compare to Azure Kubernetes Service (AKS)?
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
#ServerlessTips - Azure Container Apps
Author: Stephane Eyskens Azure MVP
With the rise of container technologies and services, it is sometimes hard to find our way. How does the last-born service ACA compare with AKS? Below is a table that summarizes some key aspects:
AKS | ACA | |
---|---|---|
Operations | High. Frequent cluster upgrades & node pool upgrades)+customer-hosted ecosystem solutions | Low |
Network - external | Full support of UDR and NSG | At this stage, not a full integration yet (partial support of UDR) |
Network - Internal | Built-in K8s network policies and various ecosystem solutions (Calico) | No network segregation is possible between apps hosted in the same environment |
Compute granularity | Very high. Each node pool can be linked to a specific VM family size and labeled with tags, which we can use to schedule pods accordingly | Bundles of RAM & CPU combined ranging from 0.25 CPU/0.5GB to 2CPU/4GB |
High availability | Yes, with zone-redundant node pools | Yes, with zone-redundant environments |
Disaster Recovery | No built-in feature. Can be achieved with multiple clusters spread over various regions | No built-in feature. Can be achieved with multiple environments spread over various regions |
Autoscaling | Yes, with node pool level autoscaling | Yes, Automatic |
Basic workload autoscaling | Yes, with HPAs | Yes, with scaling rules |
Advanced workload autoscaling | Yes, when installing ecosystem solutions such as KEDA | Yes, built-in thanks to advanced rules (KEDA) |
Service discovery | Yes, when installing ecosystem solutions such as Dapr | Yes, built-in, thanks to Dapr |
Use Cases | Virtually anything | Microservices, Event-driven applications, Jobs (if not too resource-intensive) |
Complexity | High | Low |
Hosting Platform | Yes | No, or closely related assets |
Security Posture - Policy | High. Two built-in restrictive initiatives and gatekeeper as an admission controller | Low, a few policies to control the config of the apps themselves but not the containers running inside |
Security Posture – Running containers | High, thanks to Defender for Containers | Nothing at this stage |
Security – Managed Identities | Full support of managed identities, including using the cluster's identity to pull container images from ACR | Full support of managed identities, including using the ACA's identity to pull container images from ACR |
Security – Workload Identities | Yes. | No |
Security – Workload Authn & Authz | Nothing out of the box. You can offload authn & authz to specific solutions such as Service Meshes. | Yes, built-in integration with Azure Active Directory, Google, Facebook, and Twitter. |
Security – Secret Management | Strong. CSI driver support for Azure Key Vault | Weak, built-in secret management but no integration with Key Vault or other secret stores |
Monitoring | High. Container Insights and many Azure Monitor metrics are available | Medium. No metric for Azure Container Environment in Azure Monitor. A few metrics are available for container apps. Logs are available in Log Analytics. |
Of course, this list is highly subject to change, so I encourage you to double-check the latest updates for each service. However, you can take this as an attention point when choosing one solution over the other.
Was this article helpful?