Merge pull request #231804 from craigshoemaker/aca/dedicated

[Container Apps] Dedicated Plan docs

Author: American-Dipper

articles/container-apps/TOC.yml

@@ -27,6 +27,8 @@
       href: deploy-visual-studio-code.md
 - name: Concepts
   items:
+    - name: Plans
+      href: plans.md
     - name: Environment
       href: environment.md
     - name: Containers
@@ -71,6 +73,8 @@
         href: alerts.md
     - name: Authentication
       href: authentication.md
+    - name: Workload profiles
+      href: workload-profiles-overview.md
     - name: Dapr integration
       href: dapr-overview.md
     - name: Azure Arc-enabled Kubernetes clusters
@@ -91,6 +95,8 @@
         href: managed-identity-image-pull.md
     - name: Manage revisions
       href: revisions-manage.md
+    - name: Manage workload profiles
+      href: workload-profiles-manage-cli.md
     - name: Ingress
       items:
       - name: Configure ingress
@@ -110,6 +116,12 @@
         href: custom-domains-certificates.md
       - name: Set up environment custom DNS suffix
         href: environment-custom-dns-suffix.md
+    - name: Network security
+      items:
+        - name: Configure WAF Application Gateway
+          href: waf-app-gateway.md
+        - name: Enable User Defined Routes (UDR)
+          href: user-defined-routes.md
     - name: Connect to a cloud service using Service Connector
       items:
         - name: .NET app with Blob Storage

articles/container-apps/billing.md

@@ -6,13 +6,24 @@ author: craigshoemaker
 ms.service: container-apps
 ms.custom: event-tier1-build-2022
 ms.topic: conceptual
-ms.date: 03/09/2022
+ms.date: 03/30/2023
 ms.author: cshoe
 ---
 
 # Billing in Azure Container Apps
 
-Azure Container Apps billing consists of two types of charges:
+Billing in Azure Container apps is based on your [plan type](plans.md).
+
+| Plan type | Description |
+|--|--|
+| [Consumption](#consumption-plan) | Serverless environment where you're only billed for the resources your apps use when they're running. |
+| [Consumption + Dedicated workload profiles plan structure](#consumption-dedicated) | A fully managed environment that supports both Consumption-based apps and Dedicated workload profiles that offer customized compute options for your apps. You're billed for each node in each [workload profile](workload-profiles-overview.md).
+
+Charges apply to resources allocated to each running replica. |
+
+## Consumption plan
+
+Azure Container Apps consumption plan billing consists of two types of charges:
 
 - **[Resource consumption](#resource-consumption-charges)**: The amount of resources allocated to your container app on a per-second basis, billed in vCPU-seconds and GiB-seconds.
 - **[HTTP requests](#request-charges)**: The number of HTTP requests your container app receives.
@@ -28,7 +39,7 @@ This article describes how to calculate the cost of running your container app.
 > [!NOTE]
 > If you use Container Apps with [your own virtual network](networking.md#managed-resources) or your apps utilize other Azure resources, additional charges may apply.
 
-## Resource consumption charges
+### Resource consumption charges
 
 Azure Container Apps runs replicas of your application based on the [scaling rules and replica count limits](scale-app.md) you configure for each revision. You're charged for the amount of resources allocated to each replica while it's running.
 
@@ -41,16 +52,16 @@ The first 180,000 vCPU-seconds and 360,000 GiB-seconds in each subscription per
 
 The rate you pay for resource consumption depends on the state of your container app's revisions and replicas. By default, replicas are charged at an *active* rate. However, in certain conditions, a replica can enter an *idle* state. While in an *idle* state, resources are billed at a reduced rate.
 
-### No replicas are running
+#### No replicas are running
 
 When a revision is scaled to zero replicas, no resource consumption charges are incurred.
 
-### Minimum number of replicas are running
+#### Minimum number of replicas are running
 
-Idle usage charges may apply when a revision is running under a specific set of circumstances. To be eligible for idle charges, a revision must meet the following criteria.
+Idle usage charges may apply when a revision is running under a specific set of circumstances. To be eligible for idle charges, a revision must be:
 
-- It is configured with a [minimum replica count](scale-app.md) greater than zero.
-- It is scaled to the minimum replica count.
+- Configured with a [minimum replica count](scale-app.md) greater than zero
+- Scaled to the minimum replica count
 
 Usage charges are calculated individually for each replica. A replica is considered idle when *all* of the following conditions are true:
 
@@ -60,14 +71,35 @@ Usage charges are calculated individually for each replica. A replica is conside
 - The replica is using less than 0.01 vCPU cores.
 - The replica is receiving less than 1,000 bytes per second of network traffic.
 
-When a replica is idle, resource consumption charges are calculated at the reduced idle rates. When a replica is not idle, the active rates apply.
+When a replica is idle, resource consumption charges are calculated at the reduced idle rates. When a replica isn't idle, the active rates apply.
 
-### More than the minimum number of replicas are running
+#### More than the minimum number of replicas are running
 
 When a revision is scaled above the [minimum replica count](scale-app.md), all of its running replicas are charged for resource consumption at the active rate.
 
-## Request charges
+### Request charges
 
 In addition to resource consumption, Azure Container Apps also charges based on the number of HTTP requests received by your container app.
 
 The first 2 million requests in each subscription per calendar month are free.
+
+<a id="consumption-dedicated"></a>
+
+## Consumption + Dedicated workload profiles plan structure (preview)
+
+Azure Container Apps Consumption + Dedicated plan structure consists of two plans withing a single environment, each with their own billing model.
+
+The billing for apps running in the Consumption plan within the Consumption + Dedicated plan structure is the same as the Consumption plan.
+
+The billing for apps running in the Dedicated plan within the Consumption + Dedicated plan structure is as follows:
+
+- **Dedicated workload profiles**: You're billed on a per-second basis for vCPU-seconds and GiB-seconds resources in all the workload profile instances in use. As profiles scale out, extra costs apply for the extra instances; as profiles scale in, billing is reduced.
+
+- **Dedicated plan management**: You're billed a fixed cost for the Dedicated management plan when using Dedicated workload profiles. This cost is the same regardless of how many Dedicated workload profiles in use.
+
+For instance, you are not billed any charges for Dedicated unless you use a Dedicated workload profile in your environment.
+ 
+
+For pricing details in your account's currency, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).
+
+For best results, maximize the use of your allocated resources by calculating the needs of your container apps. Often you can run multiple apps on a single instance of a workload profile.

articles/container-apps/containers.md

@@ -24,12 +24,9 @@ Azure Container Apps supports:
 Features include:
 
 - There's no required base container image.
-- Changes to the `template` ARM configuration section trigger a new [container app revision](application-lifecycle-management.md).
+- Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md).
 - If a container crashes, it automatically restarts.
 
-> [!NOTE]
-> The only supported protocols for a container app's fully qualified domain name (FQDN) are HTTP and HTTPS through ports 80 and 443 respectively.
-
 ## Configuration
 
 
@@ -110,12 +107,12 @@ The following code is an example of the `containers` array in the [`properties.t
 | `command` | The container's startup command. | Equivalent to Docker's [entrypoint](https://docs.docker.com/engine/reference/builder/) field.  |
 | `args` | Start up command arguments. | Entries in the array are joined together to create a parameter list to pass to the startup command. |
 | `env` | An array of key/value pairs that define environment variables. | Use `secretRef` instead of the `value` field to refer to a secret. |
-| `resources.cpu` | The number of CPUs allocated to the container. | Values must adhere to the following rules: the value must be greater than zero and less than or equal to 2, and can be any decimal number, with a maximum of two decimal places. For example, `1.25` is valid, but `1.555` is invalid. The default is 0.5 CPU per container. |
-| `resources.memory` | The amount of RAM allocated to the container. | This value is up to `4Gi`. The only allowed units are [gibibytes](https://simple.wikipedia.org/wiki/Gibibyte) (`Gi`). Values must adhere to the following rules: the value must be greater than zero and less than or equal to `4Gi`, and can be any decimal number, with a maximum of two decimal places. For example, `1.25Gi` is valid, but `1.555Gi` is invalid. The default is `1Gi` per container.  |
+| `resources.cpu` | The number of CPUs allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>• greater than zero<br>• less than or equal to 2<br>• can be any decimal number (with a max of two decimal places)<br><br> For example, `1.25` is valid, but `1.555` is invalid.<br> The default is 0.25 CPU per container.<br><br>When using the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply except CPU must be less than or equal to 4.<br><br>When using a Dedicated workload profile in the Consumption + Dedicated plan structure, the maximum CPU must be less than or equal to the number of cores available in the profile. |
+| `resources.memory` | The amount of RAM allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>• greater than zero<br>• less than or equal to `4Gi`<br>• can be any decimal number (with a max of two decimal places)<br><br>For example, `1.25Gi` is valid, but `1.555Gi` is invalid.<br>The default is `0.5Gi` per container.<br><br>When using the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply except memory must be less than or equal to `8Gi`.<br><br>When using a dedicated workload profile in the Consumption + Dedicated plan structure, the maximum memory must be less than or equal to the amount of memory available in the profile. |
 | `volumeMounts` | An array of volume mount definitions. | You can define a temporary volume or multiple permanent storage volumes for your container.  For more information about storage volumes, see [Use storage mounts in Azure Container Apps](storage-mounts.md).|
 | `probes`| An array of health probes enabled in the container. | This feature is based on Kubernetes health probes. For more information about probes settings, see [Health probes in Azure Container Apps](health-probes.md).|
 
-The total CPU and memory allocations requested for all the containers in a container app must add up to one of the following combinations.
+In the Consumption plan, the total CPU and memory allocations requested for all the containers in a container app must add up to one of the following combinations.
 
 | vCPUs (cores) | Memory |
 |---|---|
@@ -128,9 +125,32 @@ The total CPU and memory allocations requested for all the containers in a conta
 | `1.75` | `3.5Gi` |
 | `2.0` | `4.0Gi` |
 
+Alternatively, the Consumption workload profile in the Consumption + Dedicated plan structure, the total CPU and memory allocations requested for all the containers in a container app must add up to one of the following combinations.
+
+| vCPUs (cores) | Memory |
+|---|---|
+| `0.25` | `0.5Gi` |
+| `0.5` | `1.0Gi` |
+| `0.75` | `1.5Gi` |
+| `1.0` | `2.0Gi` |
+| `1.25` | `2.5Gi` |
+| `1.5` | `3.0Gi` |
+| `1.75` | `3.5Gi` |
+| `2.0` | `4.0Gi` |
+| `2.25` | `4.5Gi` |
+| `2.5` | `5.0Gi` |
+| `2.75` | `5.5Gi` |
+| `3.0` | `6.0Gi` |
+| `3.25` | `6.5Gi` |
+| `3.5` | `7.0Gi` |
+| `3.75` | `7.5Gi` |
+| `4.0` | `8.0Gi` |
+
 - The total of the CPU requests in all of your containers must match one of the values in the vCPUs column.
 - The total of the memory requests in all your containers must match the memory value in the memory column in the same row of the CPU column.
 
+When you use a Dedicated workload profile in the Consumption + Dedicated plan structure, the total CPU and memory allocations requested for all the containers in a container app must be less than or equal to the cores and memory available in the profile.
+
 ## Multiple containers
 
 You can define multiple containers in a single container app to implement the [sidecar pattern](/azure/architecture/patterns/sidecar). The containers in a container app share hard disk and network resources and experience the same [application lifecycle](./application-lifecycle-management.md).

articles/container-apps/environment.md

@@ -44,7 +44,10 @@ Settings relevant to the Azure Container Apps environment API resource.
 
 ## Billing
 
-Billing is relevant only to individual container apps and their resource usage. There are no base charges associated with the Container Apps environment.
+Azure Container Apps has two different pricing structures.
+
+- If you're using the Consumption only plan, or only the Consumption workload profile in the Consumption + Dedicated plan structure then billing is relevant only to individual container apps and their resource usage. There's no cost associated with the Container Apps environment.
+- If you're using any Dedicated workload profiles in the Consumption + Dedicated plan structure, there's a fixed cost for the Dedicated plan management. This cost is for the entire environment regardless of how many Dedicated workload profiles you're using.
 
 ## Next steps
 

articles/container-apps/firewall-integration.md

@@ -2,28 +2,29 @@
 title: Securing a custom VNET in Azure Container Apps
 description: Firewall settings to secure a custom VNET in Azure Container Apps
 services: container-apps
-author: JennyLawrance
+author: CaryChai
 ms.service: container-apps
 ms.custom: event-tier1-build-2022
 ms.topic:  reference
-ms.date: 07/15/2022
-ms.author: jennylaw
+ms.date: 03/29/2023
+ms.author: cachai
 ---
 
-# Securing a custom VNET in Azure Container Apps
+# Securing a custom VNET in Azure Container Apps  with Network Security Groups
 
 Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.
 
-You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container App Environment.
+You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container Apps environment at the subscription level.
 
-Using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. Therefore, securing outbound traffic with a firewall is not yet supported.
+In the workload profiles architecture, user-defined routes (UDRs) and securing outbound traffic with a firewall are supported. Learn more in the [networking concepts document](./networking.md#user-defined-routes-udr---preview).
+
+In the Consumption only architecture, custom user-defined routes (UDRs) and ExpressRoutes aren't supported.
 
 ## NSG allow rules
 
 The following tables describe how to configure a collection of NSG allow rules.
-
 >[!NOTE]
-> The subnet associated with a Container App Environment requires a CIDR prefix of `/23` or larger.
+> The subnet associated with a Container App Environment on the Consumption only architecture requires a CIDR prefix of `/23` or larger. On the workload profiles architecture (preview), a `/27` or larger is required.
 
 ### Inbound
 
@@ -32,16 +33,30 @@ The following tables describe how to configure a collection of NSG allow rules.
 | Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |
 | Any | \* | AzureLoadBalancer | Allow the Azure infrastructure load balancer to communicate with your environment. |
 
-### Outbound with ServiceTags
+### Outbound with service tags
+
+The following service tags are required when using NSGs on the Consumption only architecture:
 
 | Protocol | Port | ServiceTag | Description
 |--|--|--|--|
 | UDP | `1194` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
 | TCP | `9000` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
 | TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. |
 
+The following service tags are required when using NSGs on the workload profiles architecture:
+
+>[!Note]
+> If you are using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Container Apps to pull images through the virtual network.
+
+| Protocol | Port | Service Tag | Description
+|--|--|--|--|
+| TCP | `443` | `MicrosoftContainerRegistry` | This is the service tag for container registry for microsoft containers. |
+| TCP | `443` | `AzureFrontDoor.FirstParty` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |
+
 ### Outbound with wild card IP rules
 
+The following IP rules are required when using NSGs on both the Consumption only architecture and the workload profiles architecture:
+
 | Protocol | Port | IP | Description |
 |--|--|--|--|
 | TCP | `443` | \* | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
@@ -52,5 +67,5 @@ The following tables describe how to configure a collection of NSG allow rules.
 
 #### Considerations
 
-- If you are running HTTP servers, you might need to add ports `80` and `443`.
+- If you're running HTTP servers, you might need to add ports `80` and `443`.
 - Adding deny rules for some ports and protocols with lower priority than `65000` may cause service interruption and unexpected behavior.

articles/container-apps/log-options.md

@@ -27,7 +27,10 @@ You can choose between these logs destinations:
     - Azure storage account to archive.
     - Azure event hub for data ingestion and analytic services. For more information, see [Azure Event Hubs](../event-hubs/event-hubs-about.md).
     - An Azure partner monitoring solution such as, Datadog, Elastic, Logz.io and others.  For more information, see [Partner solutions](../partner-solutions/overview.md).  
-- **None**: You can disable the storage of log data. You'll still be able to view real-time container logs via the **Logs stream** feature in your container app.  For more information, see [Log streaming](log-streaming.md).
+- **None**: You can disable the storage of log data. When disabled, you can still view real-time container logs via the **Logs stream** feature in your container app. For more information, see [Log streaming](log-streaming.md).
+
+> [!NOTE]
+> Azure Monitor is not currently supported in the Consumption + Dedicated plan structure.
 
 When *None* or the *Azure Monitor* destination is selected, the **Logs** menu item providing the Log Analytics query editor in the Azure portal is disabled.
 
@@ -43,7 +46,7 @@ Use these steps to configure the logging options for your Container Apps environ
     - **None**:  This option disables the storage of log data.
 1. Select **Save**.
     :::image type="content" source="media/observability/log-opts-screenshot-page-save-button.png" alt-text="Screenshot Logging options page.":::
-1. If you have selected **Azure Monitor** as your logs destination, you must configure **Diagnostic settings**.  The **Diagnostic settings** item will appear below the **Logging options** menu item.
+1. If you have selected **Azure Monitor** as your logs destination, you must configure **Diagnostic settings**.  The **Diagnostic settings** item appears below the **Logging options** menu item.
 
 ### Diagnostic settings