Add health checks

Author: pamelafox

azure.yaml

@@ -3,20 +3,22 @@
 name: python-mcp-demo
 metadata:
   template: [email protected]
+
 services:
-  # Not using remoteBuild due to private endpoint usage
   server:
     project: .
     language: docker
     host: containerapp
     docker:
+      remoteBuild: true
       path: ./servers/Dockerfile
       context: .
   agent:
     project: .
     language: docker
     host: containerapp
     docker:
+      remoteBuild: true
       path: ./agents/Dockerfile
       context: .
 hooks:

infra/agent.bicep

@@ -48,6 +48,10 @@ module app 'core/host/container-app-upsert.bicep' = {
         name: 'MCP_SERVER_URL'
         value: mcpServerUrl
       }
+      {
+        name: 'RUNNING_IN_PRODUCTION'
+        value: 'true'
+      }
     ]
   }
 }

infra/core/host/container-app-upsert.bicep

@@ -40,6 +40,9 @@ param containerCpuCoreCount string = '0.5'
 @description('Memory allocated to a single container instance, e.g. 1Gi')
 param containerMemory string = '1.0Gi'
 
+@description('Health probes for the container')
+param probes array = []
+
 resource existingApp 'Microsoft.App/containerApps@2025-01-01' existing = if (exists) {
   name: name
 }
@@ -67,6 +70,7 @@ module app 'container-app.bicep' = {
     env: env
     imageName: exists ? existingApp.properties.template.containers[0].image : ''
     targetPort: targetPort
+    probes: probes
   }
 }
 

infra/core/host/container-app.bicep

@@ -40,6 +40,9 @@ param containerCpuCoreCount string = '0.5'
 @description('Memory allocated to a single container instance, e.g. 1Gi')
 param containerMemory string = '1.0Gi'
 
+@description('Health probes for the container')
+param probes array = []
+
 resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
   name: identityName
 }
@@ -102,6 +105,7 @@ resource app 'Microsoft.App/containerApps@2025-01-01' = {
             cpu: json(containerCpuCoreCount)
             memory: containerMemory
           }
+          probes: probes
         }
       ]
       scale: {

infra/core/host/container-apps-environment.bicep

@@ -26,7 +26,21 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
     location: location
     tags: tags
     zoneRedundant: false
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: usePrivateIngress ? 'Disabled' : 'Enabled'
+    workloadProfiles: usePrivateIngress
+      ? [
+          {
+            name: 'Consumption'
+            workloadProfileType: 'Consumption'
+          }
+          {
+            name: 'Warm'
+            workloadProfileType: 'D4'
+            minimumCount: 1
+            maximumCount: 3
+          }
+        ]
+      : []
     appLogsConfiguration: useLogging
       ? {
           destination: 'log-analytics'

infra/core/host/container-registry.bicep

@@ -10,7 +10,7 @@ param encryption object = {
   status: 'disabled'
 }
 param networkRuleBypassOptions string = 'AzureServices'
-param publicNetworkAccess string = useVnet ? 'Disabled' : 'Enabled' // Public network access is disabled if VNet integration is enabled
+param publicNetworkAccess string = 'Enabled' // Keep public access enabled for pushing images from local machine
 param useVnet bool = false // Determines if VNet integration is enabled
 param sku object = {
   name: useVnet ? 'Premium' : 'Standard' // Use Premium if VNet is required, otherwise Standard

infra/main.bicep

@@ -152,7 +152,7 @@ module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0
     skuName: 'PerGB2018'
     dataRetention: 30
     publicNetworkAccessForIngestion: useVnet ? 'Disabled' : 'Enabled'
-    publicNetworkAccessForQuery: useVnet ? 'Disabled' : 'Enabled'
+    publicNetworkAccessForQuery: 'Enabled' // Keep public query access for debugging - change to 'Disabled' for more security
     useResourcePermissions: true
   }
 }
@@ -540,7 +540,7 @@ module monitorPrivateLinkScope 'br/public:avm/res/insights/private-link-scope:0.
     tags: tags
     accessModeSettings: {
       ingestionAccessMode: 'PrivateOnly'
-      queryAccessMode: 'PrivateOnly'
+      queryAccessMode: 'Open' // Allow public queries for debugging - change to 'PrivateOnly' for more security
     }
     scopedResources: [
       {

infra/main.parameters.json

@@ -20,8 +20,11 @@
       "usePrivateIngress": {
         "value": "${USE_PRIVATE_INGRESS=false}"
       },
-      "acaExists": {
-        "value": "${SERVICE_ACA_RESOURCE_EXISTS=false}"
+      "serverExists": {
+        "value": "${SERVICE_SERVER_RESOURCE_EXISTS=false}"
+      },
+      "agentExists": {
+        "value": "${SERVICE_AGENT_RESOURCE_EXISTS=false}"
       }
     }
-  }
+  }

infra/server.bicep

@@ -60,6 +60,37 @@ module app 'core/host/container-app-upsert.bicep' = {
       }
     ]
     targetPort: 8000
+    probes: [
+      {
+        type: 'Startup'
+        httpGet: {
+          path: '/health'
+          port: 8000
+        }
+        initialDelaySeconds: 3
+        periodSeconds: 3
+        failureThreshold: 30
+      }
+      {
+        type: 'Readiness'
+        httpGet: {
+          path: '/health'
+          port: 8000
+        }
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        failureThreshold: 3
+      }
+      {
+        type: 'Liveness'
+        httpGet: {
+          path: '/health'
+          port: 8000
+        }
+        periodSeconds: 10
+        failureThreshold: 3
+      }
+    ]
   }
 }
 

servers/deployed_mcp.py

@@ -9,6 +9,7 @@
 from azure.identity.aio import DefaultAzureCredential, ManagedIdentityCredential
 from dotenv import load_dotenv
 from fastmcp import FastMCP
+from starlette.responses import JSONResponse
 
 load_dotenv(override=True)
 
@@ -39,6 +40,11 @@
 mcp = FastMCP("Expenses Tracker")
 
 
+@mcp.custom_route("/health", methods=["GET"])
+async def health_check(request):
+    return JSONResponse({"status": "healthy", "service": "mcp-server"})
+
+
 class PaymentMethod(Enum):
     AMEX = "amex"
     VISA = "visa"