Container Security on Azure

Container security is not a single tool or practice — it is a set of layered defences applied throughout the container lifecycle, from building images to running containers in production. Azure provides a rich set of security features across ACR, ACI, AKS, and Container Apps. This lesson covers the key security principles, tools, and best practices for securing containers on Azure.

---

The Container Security Lifecycle

Security must be applied at every stage:

+--------+    +---------+    +--------+    +---------+    +---------+
|  Build |    |  Store  |    | Deploy |    |   Run   |    | Monitor |
|--------|    |---------|    |--------|    |---------|    |---------|
| Secure |    | Scan    |    | Admit  |    | Isolate |    | Detect  |
| images |    | images  |    | only   |    | &       |    | &       |
| & code |    | in ACR  |    | trusted|    | Restrict|    | Respond |
+--------+    +---------+    +--------+    +---------+    +---------+

---

Build Phase: Secure Images

Use Minimal Base Images

The fewer packages in your image, the smaller the attack surface:

Base image	Size	Shell	Package manager	Security posture
Ubuntu	~75 MB	Yes	apt	Large attack surface
Alpine	~5 MB	Yes (BusyBox)	apk	Small attack surface
Distroless	~2–20 MB	No	No	Minimal attack surface
Scratch	0 MB	No	No	Zero attack surface (static binaries only)

Run as Non-Root

Never run containers as root. Create a dedicated user in your Dockerfile:

FROM node:20-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
COPY --chown=appuser:appgroup . .
USER appuser
CMD ["node", "server.js"]

Multi-Stage Builds

Keep build tools out of the final image:

# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
USER appuser
EXPOSE 8080
CMD ["node", "dist/server.js"]

Scan During Build

Integrate vulnerability scanning into your CI/CD pipeline:

# GitHub Actions example
- name: Scan image with Trivy
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: mycompanyacr.azurecr.io/myapp:${{ github.sha }}
    format: table
    exit-code: 1
    severity: CRITICAL,HIGH

---

Store Phase: Secure the Registry

ACR Security Features

Feature	Tier	Purpose
Entra ID authentication	All	Eliminate passwords; use identity-based access
Role-based access	All	AcrPull, AcrPush, AcrDelete — least privilege
Content trust	Premium	Sign images to verify integrity
Private endpoints	Premium	Restrict registry to your VNet
Customer-managed keys	Premium	Encrypt images with your own keys
Retention policies	Premium	Automatically purge old images

Microsoft Defender for Containers

Defender for Containers provides:

• Image scanning — scan images in ACR for known CVEs
• Continuous assessment — rescan when new vulnerabilities are published
• Recommendations — actionable guidance to fix vulnerabilities
• Runtime protection — detect threats in running containers (AKS)

# Enable Defender for Containers on your subscription
az security pricing create \
  --name Containers \
  --tier Standard

---

Deploy Phase: Admission Control

Azure Policy for AKS

Azure Policy enforces rules at deployment time — rejecting pods that violate your security standards:

Policy	Effect
Do not allow privileged containers	Deny
Containers must run as non-root	Deny
Only allow images from approved registries	Deny
Require resource limits on all containers	Deny
Do not allow hostPath volume mounts	Deny
Require read-only root filesystem	Audit

# Enable Azure Policy add-on for AKS
az aks enable-addons \
  --resource-group rg-aks \
  --name my-aks-cluster \
  --addons azure-policy