What percentage of the AI-200 exam covers Develop Containerized Solutions on Azure?

Domain 1 (Develop Containerized Solutions on Azure) accounts for 20–25% of the AI-200 exam. Implement Container Application Hosting on Azure topics like Azure Container Registry and ACR Tasks are actively tested.

Is ACR & App Service on the AI-200 exam?

Yes. Implement Container Application Hosting on Azure is part of Domain 1 in the official AI-200 skill outline, weighted at 20–25%. The key services tested are Azure Container Registry, ACR Tasks, Azure App Service.

How do I practice ACR & App Service hands-on?

Create a free Azure account and follow the code examples in this module step-by-step. The official Microsoft Learn sandbox for Course AI-200T00-A also provides free lab environments for Azure Container Registry and related services.

Module 1: ACR & App Service — AI-200 Study Notes

Module

Store and Manage Containers in Azure Container Registry

units

🎬 Unit 1

Introduction

2 min

Azure Container Registry (ACR) is Azure's private Docker-compatible registry. It stores container images and OCI artifacts, integrates natively with AKS, Container Apps, and App Service, and runs ACR Tasks to build images without a local Docker engine. Think: Private Docker Hub + Azure RBAC + built-in vulnerability scanning.

💡 Exam Tip

Three exam pillars for ACR: 1) SKU differences 2) Authentication options 3) ACR Tasks types. Know all three cold.

📘 Unit 2

Registries, Repositories, and Artifacts

8 min

ACR → Azure Compute: Build once, deploy everywhere

1. Registry Hierarchy

Registry — top-level ACR account with unique DNS: myapp.azurecr.io. Up to 500 repositories per registry.
Repository — named collection of related images (for example: api, worker, batch).
Tag — mutable pointer to an image digest (for example: latest, v2.1). Can be overwritten.
Digest — immutable SHA-256 hash (sha256:abc123...). Survives tag rewrites. Always use in production.

Memory aid: Library → Bookshelf → Label → ISBN

2. ACR SKUs Compared

#	SKU	Storage	Geo-Replication	Private Link	Use For
1	Basic	10 GB	❌	❌	Dev/test, learning
2	Standard	100 GB	❌	❌	Most production workloads
3	Premium	500 GB	✅	✅	Multi-region, private networks, HSM keys

⚠️ Common Gotcha

Geo-replication = Premium only. Private endpoints = Premium only. Customer-managed keys = Premium only. If the question mentions ANY of these three → answer is Premium.

3. ACR Authentication Options

Microsoft Entra ID + RBAC (recommended) — roles: AcrPull (read-only), AcrPush (push), AcrDelete (delete). Works with managed identities — no stored credentials.
Admin account — single username + 2 rotatable passwords. Disabled by default. Only for legacy tools that can't use Entra. Never production.
Repository-scoped tokens — Premium only. Grants access to specific repos only. Great for vendors/external CI.

⚠️ Common Gotcha

AKS pulls from ACR using Managed Identity + AcrPull — NOT admin credentials. Admin account is always the wrong answer for AKS/ACA/App Service scenarios.

⚡ ACR Auth Quick Reference

AKS → ACRManaged Identity + AcrPull role

Container Apps → ACRManaged Identity + AcrPull role

App Service → ACRManaged Identity + AcrPull role

Legacy tool (no Entra)Admin account (last resort)

External vendor accessRepo-scoped token (Premium)

📘 Unit 3

Build Container Images with ACR Tasks

8 min

ACR Tasks — Three Types

Quick Task — one-shot cloud build. No local Docker daemon needed. Ideal for CI pipelines.
```
az acr build --registry myregistry --image api:v1 .
```
Triggered Task — runs automatically on an event:
1. Source trigger — on git commit or PR via GitHub/ADO webhook
2. Base image trigger — rebuilds your image when its FROM base image is updated (Premium only)
3. Schedule trigger — cron-style, runs on a timer for nightly scans
```
az acr task create \
  --registry myregistry --name build-on-commit \
  --image "api:{{.Run.ID}}" \
  --context https://github.com/org/repo.git --branch main \
  --file Dockerfile --git-access-token $TOKEN
```

Multi-Step Task (YAML) — build → test → push pipeline in YAML:

version: v1.1.0
steps:
  - build: -t myregistry.azurecr.io/api:test -f Dockerfile .
  - push: ["myregistry.azurecr.io/api:test"]
  - cmd: myregistry.azurecr.io/api:test --run-tests
  - build: -t myregistry.azurecr.io/api:latest -f Dockerfile .
  - push: ["myregistry.azurecr.io/api:latest"]

💡 Exam Tip

Memory aid — QTS: Quick (one-shot), Triggered (event-driven), Step (YAML pipeline). Base image trigger = Premium only and is the key "automatically rebuild when OS is patched" scenario.

📘 Unit 4

Tag, Version, and Lifecycle Management

8 min

1. Stable vs Unique Tags

Stable tags (for example: latest, v1) — mutable. Convenient but silently change. Dev/test only.
Unique tags (for example: v1.2.3-20250601) — immutable per build. Fully traceable. Use in production.
Digests (image@sha256:abc...) — never changes even if tag is overwritten. Gold standard for prod.

2. Locking Images (Write-Protection)

az acr repository update \
  --name myregistry --image api:v1.2.3 --write-enabled false

Locked images cannot be overwritten or deleted. Protects production images from accidental pushes.

3. Lifecycle Policies (Auto-Cleanup)

az acr config retention update \
  --registry myregistry --status enabled --days 30 --type UntaggedManifests

Auto-deletes untagged manifests older than N days. Prevents storage bloat from accumulated dangling layers.

🧠 Memory Tricks

Auth ladder: Managed Identity (always first) > Repo token (vendors) > Admin (legacy only, never prod)

SKU → features: B/S = basic storage, P = Premium = Private link + geo-replication

Task types: QTS — Quick, Triggered, Step

🧪 Unit 5

Exercise — Build and Push with ACR Tasks

30 min

Create an ACR registry (Standard SKU)
Run az acr build to build without local Docker
Create a triggered task tied to a GitHub repo
Verify images: az acr repository list and az acr repository show-tags
Lock the production tag with --write-enabled false

✅ Unit 6

Knowledge Check

5 min

Q: Which SKU supports geo-replication? A: Premium
Q: AKS needs to pull from ACR securely. Best approach? A: Assign AcrPull role to AKS cluster's managed identity
Q: What ACR Task type rebuilds your image when the base OS image is patched? A: Base image trigger (Triggered task — Premium only)
Q: How do you prevent a production image tag from being overwritten? A: az acr repository update --write-enabled false
Q: What does the ACR admin account provide? A: Username + 2 rotatable passwords — legacy auth only, never production

🏁 Unit 7

Summary

2 min

ACR provides a private, Azure-native container registry. Use Premium for geo-replication and private endpoints. Authenticate with managed identity + AcrPull — never admin in production. Use ACR Tasks (QTS) to build in the cloud. Use unique tags + digests for production traceability. Set lifecycle policies to auto-clean dangling manifests.

Module

Deploy Containers to Azure App Service

units

🎬 Unit 1

Introduction

3 min

Azure App Service can run your custom Docker containers alongside its built-in language runtimes. You push an image to ACR, point App Service at it, and Azure handles TLS, scaling, and restarts. This module covers deploying, configuring runtime settings, handling secrets, and troubleshooting container failures.

📘 Unit 2

Deploy Containers to App Service

8 min

1. Image Sources

Azure Container Registry — recommended. Native integration with managed identity. Best for production.
Docker Hub — public images or authenticated private repos. Avoid for production (rate limits, no RBAC).
Private registry — any registry exposing the Docker HTTP API. Supply server URL + credentials.

2. ACR Authentication for App Service

Managed Identity (recommended)

az webapp identity assign -g rg -n myapp
az role assignment create \
  --assignee $(az webapp identity show -g rg -n myapp --query principalId -o tsv) \
  --role AcrPull \
  --scope $(az acr show -n myregistry --query id -o tsv)
az webapp config container set -n myapp -g rg \
  --docker-custom-image-name myregistry.azurecr.io/api:v1 \
  --docker-registry-server-url https://myregistry.azurecr.io

Admin credentials (legacy) — enable admin on ACR, set server/user/password in App Service config. Stores long-lived credentials.

⚠️ Common Gotcha

With managed identity you do NOT pass --docker-registry-server-user or --docker-registry-server-password. The identity handles it. This distinction is tested.

3. Continuous Deployment (CD)

az webapp deployment container config -n myapp -g rg --enable-cd true

Creates a webhook URL. Configure ACR to POST to it on image push. App Service auto-pulls the new image — zero CI/CD pipeline needed for simple scenarios.

📘 Unit 3

Configure Container Runtime Behavior

7 min

1. Port Mapping — WEBSITES_PORT

App Service routes all traffic to the port specified by WEBSITES_PORT. Default assumption is port 80.

az webapp config appsettings set -g rg -n myapp --settings WEBSITES_PORT=8000

⚠️ Common Gotcha

Port mismatch = #1 cause of container startup failures. App shows HTTP 503 or container exits immediately. First check: is WEBSITES_PORT set correctly?

2. Custom Startup Command

az webapp config set -g rg -n myapp --startup-file "gunicorn app:app --bind 0.0.0.0:8000"

Overrides the image CMD/ENTRYPOINT at runtime without rebuilding. Useful for multi-environment configs.

3. Persistent Storage

By default the container filesystem is ephemeral — lost on restart. Set WEBSITES_ENABLE_APP_SERVICE_STORAGE=true to mount /home persistently for models, logs, or write-able files.

4. Health Checks

Always On — keeps app warm (no cold start). Enable for production, disable to save cost on dev.
Health check path — App Service polls your endpoint (for example: /health). Unhealthy instances are recycled.

📘 Unit 4

Configure Application Settings

6 min

1. App Settings → Environment Variables

az webapp config appsettings set -g rg -n myapp --settings MODEL_NAME=gpt-4o LOG_LEVEL=info

Every App Setting becomes an environment variable in your container — the primary config injection mechanism.

2. Key Vault References (Secure Secrets)

az webapp config appsettings set -g rg -n myapp \
  --settings "[email protected](SecretUri=https://myvault.vault.azure.net/secrets/api-key/)"

App Service fetches the secret at runtime. Secret rotations propagate automatically — no redeployment needed.

💡 Exam Tip

Key Vault references require: 1) Managed identity on App Service 2) Key Vault Secrets User role assigned. The exam tests this two-step dependency.

3. Connection String Prefixes

SQLAZURECONNSTR_ — SQL Azure
MYSQLCONNSTR_ — MySQL
POSTGRESQLCONNSTR_ — PostgreSQL
CUSTOMCONNSTR_ — any custom connection string

📘 Unit 5

Observe and Troubleshoot Containers

7 min

1. Log Stream (Live Logs)

az webapp log tail -g rg -n myapp

Streams container stdout/stderr in real time. First stop when a deployment fails.

2. SSH Console (Kudu)

App Service exposes SSH to running containers via https://myapp.scm.azurewebsites.net. Exec into the container and diagnose issues interactively. Your container must expose port 2222 for SSH to work.

3. Application Insights

Set APPLICATIONINSIGHTS_CONNECTION_STRING as an App Setting + add the SDK. Provides request tracing, exceptions, and performance metrics.

⚡ ACR + App Service Master Cheatsheet

Build without Docker locallyaz acr build --registry ... --image ... .

Auth: compute → ACRManaged Identity + AcrPull role

Set container portWEBSITES_PORT=8000

Inject secret securelyKey Vault reference in App Settings

Enable CD from ACR--enable-cd true

Lock image tag--write-enabled false

Geo-replication SKUPremium only

Auto-cleanup old imagesaz acr config retention update --days 30

Live container logsaz webapp log tail -g rg -n myapp

SSH into containerKudu: myapp.scm.azurewebsites.net

🧪 Unit 6

Exercise — Deploy a Container to App Service

30 min

Build an image with az acr build
Create a Linux App Service (Docker container plan)
Configure managed identity + AcrPull for registry auth
Set WEBSITES_PORT and env vars
Add a Key Vault reference for the API key
Verify with az webapp log tail

✅ Unit 7

Knowledge Check

5 min

Q: App Service fails to start your container — first thing to check? A: WEBSITES_PORT matches your app's listen port
Q: How does App Service pull from ACR without stored credentials? A: System-assigned managed identity + AcrPull RBAC role on the registry
Q: Where do you view live stdout from a running container? A: az webapp log tail or Log Stream in Azure portal
Q: A Key Vault reference shows as literal text in the app, not the secret value. Why? A: The managed identity is missing the Key Vault Secrets User role

🏁 Unit 8

Summary

2 min

Deploy containers to App Service using ACR with managed identity authentication. Set WEBSITES_PORT to match your app's listen port. Inject configuration via App Settings and reference secrets from Key Vault instead of embedding them. Use log streaming and SSH console to troubleshoot. Enable continuous deployment for auto-pull on new image pushes.

🧠 Container Startup Failure Checklist

Check WEBSITES_PORT matches app listen port
Check image tag is correct and registry credentials work
Run az webapp log tail for app-level errors
Check managed identity has AcrPull on the registry
Check Key Vault references if secrets are missing

📦

Module Cheatsheet

Azure Container Registry + App Service

20–25% PDF

🔑 Key Facts

az acr build — Cloud build — no local Docker. Runs in Azure.
AcrPull role — Managed Identity pulls images. NEVER admin user in prod.
SKU ladder — Basic (10 GB dev) → Standard (100 GB prod) → Premium (geo-rep)
Geo-replication — Premium ONLY. Push once, pull from nearest replica.
Unique tag — Immutable per build — use in production (not 'latest')
WEBSITES_PORT — Must match app listen port — #1 startup failure cause
KV Reference — @Microsoft.KeyVault(SecretUri=...) in App Settings
Base image trigger — Auto-rebuild on OS update — Premium ACR task only

💻 Commands & Patterns

az acr build --registry myacr --image api:v1 .
az acr task create --name build --registry myacr   --image "api:&#123;&#123;&#123;.Run.ID&#125;&#125;&#125;" --context https://github.com/org/repo   --branch main --git-access-token $TOKEN
az acr config retention update   --registry myacr --status enabled --days 30
az acr repository update --name myacr   --image api:v1.2.3 --write-enabled false
az webapp config appsettings set -g rg -n app   --settings WEBSITES_PORT=8000
az webapp log tail -g rg -n myapp

Implement Container Application Hosting on Azure

Store and Manage Containers in Azure Container Registry

Introduction

Registries, Repositories, and Artifacts

ACR → Azure Compute: Build once, deploy everywhere

⚡ ACR Auth Quick Reference

Build Container Images with ACR Tasks

Tag, Version, and Lifecycle Management

Exercise — Build and Push with ACR Tasks

Knowledge Check

Summary

Deploy Containers to Azure App Service

Introduction

Deploy Containers to App Service

Configure Container Runtime Behavior

Configure Application Settings

Observe and Troubleshoot Containers

⚡ ACR + App Service Master Cheatsheet

Exercise — Deploy a Container to App Service

Knowledge Check

Summary

Azure Container Registry + App Service

Quick Quiz

Related Modules — Develop Containerized Solutions on Azure

Frequently Asked Questions