Merge pull request #292666 from ggailey777/aca-updates

[Functions][ACA] managed identity and other fixes

Author: denrea

articles/azure-functions/functions-container-apps-hosting.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Container Apps hosting of Azure Functions 
 description: Learn about how you can use Azure Functions on Azure Container Apps to host and manage containerized function apps in Azure.
-ms.date: 12/25/2024
+ms.date: 01/05/2025
 ms.topic: conceptual
 ms.custom: build-2024, linux-related-content
 # Customer intent: As a cloud developer, I want to learn more about hosting my function apps in Linux containers managed by Azure Container Apps.
@@ -58,11 +58,40 @@ Azure Functions currently supports the following methods of deploying a containe
 + [GitHub Actions](https://github.com/Azure/azure-functions-on-container-apps/tree/main/samples/GitHubActions)
 + [Visual Studio Code](https://github.com/Azure/azure-functions-on-container-apps/tree/main/samples/VSCode%20Sample)
 
+You can continuously deploy your containerized apps from source code using either [Azure Pipelines](functions-how-to-azure-devops.md?pivots=v1#deploy-a-container) or [GitHub Actions](https://github.com/Azure/azure-functions-on-container-apps/tree/main/samples/GitHubActions). The continuous deployment feature of Functions isn't currently supported when deploying to Container Apps. 
+
+## Managed identity authorization
+
+For the best security, you should connect to remote services using Microsoft Entra authentication and managed identity authorization. You can use managed identities for these connections:
+
++ [Default storage account (`AzureWebJobsStorage`)](./functions-reference.md#connections) 
++ [Azure Container Registry](functions-deploy-container-apps.md?tabs=acr#create-and-configure-a-function-app-on-azure-with-the-image)
+
+When running in Container Apps, you can use Microsoft Entra ID with managed identities for all binding extensions that support managed identities. Currently, only these binding extensions support event-driven scaling when using managed identity authentication:
+
++ Azure Event Hubs
++ Azure Queue Storage
++ Azure Service Bus
+
+For other bindings, use fixed replicas when using managed identity authentication. For more information, see the [Functions developer guide](./functions-reference.md#connections).
+
 ## Virtual network integration
 
 When you host your function apps in a Container Apps environment, your functions are able to take advantage of both internally and externally accessible virtual networks. To learn more about environment networks, see [Networking in Azure Container Apps environment](../container-apps/networking.md).  
 
-## Configure scale rules
+## Event-driven scaling
+
+All Functions triggers can be used in your containerized function app. However, only these triggers can dynamically scale (from zero instances) based on received events when running in a Container Apps environment:  
+
++ Azure Event Grid 
++ Azure Event Hubs 
++ Azure Blob Storage (event-based)
++ Azure Queue Storage 
++ Azure Service Bus 
++ Durable Functions (MSSQL storage provider)
++ HTTP 
++ Kafka  
++ Timer 
 
 Azure Functions on Container Apps is designed to configure the scale parameters and rules as per the event target. You don't need to worry about configuring the KEDA scaled objects. You can still set minimum and maximum replica count when creating or modifying your function app. The following Azure CLI command sets the minimum and maximum replica count when creating a new function app in a Container Apps environment from an Azure Container Registry: 
 
@@ -86,33 +115,31 @@ A managed resource group gets removed automatically after all function app conta
 
 If you run into any issues with these managed resource groups, you should contact support.       
 
+## Application logging
+
+You can monitor your containerized function app hosted in Container Apps using Azure Monitor Application Insights in the same way you do with apps hosted by Azure Functions. For more information, see [Monitor Azure Functions](./monitor-functions.md). 
+
+For bindings that support event-driven scaling, scale events are logged as `FunctionsScalerInfo` and `FunctionsScalerError` events in your Log Analytics workspace. For more information, see [Application Logging in Azure Container Apps](../container-apps/logging.md). 
+
 ## Considerations for Container Apps hosting
 
 Keep in mind the following considerations when deploying your function app containers to Container Apps:
 
-+ While all triggers can be used, only the following triggers can dynamically scale (from zero instances) when running in a Container Apps environment:
-    + Azure Event Grid 
-    + Azure Event Hubs 
-    + Azure Blob storage (event-based)
-    + Azure Queue Storage 
-    + Azure Service Bus 
-    + Durable Functions (MSSQL storage provider)
-    + HTTP 
-    + Kafka  
-    + Timer  
 + These limitations apply to Kafka triggers:
     + The protocol value of `ssl` isn't supported when hosted on Container Apps. Use a [different protocol value](functions-bindings-kafka-trigger.md?pivots=programming-language-csharp#attributes). 
-    + For a Kafka trigger to dynamically scale when connected to Event Hubs, the `username` property must resolve to an application setting that contains the actual username value. When the default `$ConnectionString` value is used, the Kafka trigger won't be able to cause the app to scale dynamically.  
+    + For a Kafka trigger to dynamically scale when connected to Event Hubs, the `username` property must resolve to an application setting that contains the actual username value. When the default `$ConnectionString` value is used, the Kafka trigger isn't able to cause the app to scale dynamically.  
 + For the built-in Container Apps [policy definitions](../container-apps/policy-reference.md#policy-definitions), currently only environment-level policies apply to Azure Functions containers.
 + You can use managed identities for these connections:
     + [Deployment from an Azure Container Registry](functions-deploy-container-apps.md?tabs=acr#create-and-configure-a-function-app-on-azure-with-the-image)
     + [Triggers and bindings](functions-reference.md#configure-an-identity-based-connection)
     + [Required host storage connection](functions-identity-based-connections-tutorial.md) 
++ By default, a containerized function app monitors port 80 for incoming requests. If your app must use a different port, use the [`WEBSITES_PORT` application setting](../app-service/reference-app-settings.md#custom-containers) to change this default port.  
++ You aren't currently able to use built-in continuous deployment features when hosting on Container Apps. You must instead deploy from source code using either [Azure Pipelines](functions-how-to-azure-devops.md?pivots=v1#deploy-a-container) or [GitHub Actions](https://github.com/Azure/azure-functions-on-container-apps/tree/main/samples/GitHubActions).
 + You currently can't move a Container Apps hosted function app deployment between resource groups or between subscriptions. Instead, you would have to recreate the existing containerized app deployment in a new resource group, subscription, or region. 
 + When using Container Apps, you don't have direct access to the lower-level Kubernetes APIs. 
 + The `containerapp` extension conflicts with the `appservice-kube` extension in Azure CLI. If you have previously published apps to Azure Arc, run `az extension list` and make sure that `appservice-kube` isn't installed. If it is, you can remove it by running `az extension remove -n appservice-kube`.  
 
-## Next steps
+## Related articles
 
 + [Hosting and scale](./functions-scale.md)
 + [Create your first containerized functions on Container Apps](./functions-deploy-container-apps.md)