Containers: ACI, AKS & ACR
Single containers, managed Kubernetes, registry.
For containerized workloads, Azure offers a spectrum from simple single containers to full Kubernetes. Knowing when to use Azure Container Instances versus Azure Kubernetes Service is part of the administrator’s toolkit.
ACI and AKS
Azure Container Instances (ACI) runs a single container (or a small group) quickly and serverlessly, with no orchestration to manage — ideal for simple, short-lived, or bursty tasks like a batch job or a build agent. Azure Kubernetes Service (AKS) is managed Kubernetes: Azure runs and maintains the control plane while you manage your workloads and node pools, giving you full container orchestration — scaling, self-healing, rolling deployments, service discovery — for complex, long-running, microservice applications. Both pull images from a registry, typically Azure Container Registry (ACR), which stores and secures your container images. Choose ACI for simplicity and AKS when you need orchestration at scale.
# NEED SERVICE# run one container fast, no orchestration → Azure Container Instances (ACI)# full Kubernetes orchestration at scale → Azure Kubernetes Service (AKS)# store/secure container images → Azure Container Registry (ACR)## AKS: Azure manages the control plane; you manage node pools + workloads.# Pull images from ACR with a managed identity — no registry passwords in code.
Operating containers securely
From an administration standpoint, containers introduce their own governance: use Azure Container Registry with managed identities so workloads pull images without stored credentials, scan images for vulnerabilities, and (with Microsoft Defender for Containers) monitor runtime threats. For AKS specifically, integrate with Entra ID for cluster access, use Azure RBAC and Kubernetes RBAC together, apply network policies, and keep node pools patched — much of which Azure automates. The administrator matches the container service to the workload (ACI for simple, AKS for orchestrated), secures the image supply chain via ACR, and applies the same identity, network, and monitoring governance as the rest of the estate, so containerized workloads are as well-governed as VMs and PaaS.