Build and deploy a Python web app with Azure Container Apps and PostgreSQL

This article is part of a tutorial about how to containerize and deploy a Python web app to Azure Container Apps. Container Apps enables you to deploy containerized apps without managing complex infrastructure.

In this part of the tutorial, you learn how to containerize and deploy a Python sample web app (Django or Flask). Specifically, you build the container image in the cloud and deploy it to Azure Container Apps. You define environment variables that enable the container app to connect to an Azure Database for PostgreSQL - Flexible Server instance, where the sample app stores data.

This service diagram highlights the components covered in this article: building and deploying a container image.

A screenshot of the services in the Tutorial - Deploy a Python App on Azure Container Apps. Section highlighted is what is covered in this article.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Azure CLI commands can be run in the Azure Cloud Shell or on a workstation with the Azure CLI installed.

If you're running locally, follow these steps to sign in and install the necessary modules for this tutorial.

  1. Sign in to Azure and authenticate, if needed:

    az login
    
  2. Make sure you're running the latest version of the Azure CLI:

    az upgrade
    
  3. Install or upgrade the containerapp and rdbms-connect Azure CLI extensions with the az extension add command.

    az extension add --name containerapp --upgrade
    az extension add --name rdbms-connect --upgrade
    

    Note

    To list the extensions installed on your system, you can use the az extension list command. For example,

    az extension list --query [].name --output tsv
    

Get the sample app

Fork and clone the sample code to your developer environment.

  1. Go to the GitHub repository of the sample app (Django or Flask) and select Fork.

    Follow the steps to fork the directory to your GitHub account. You can also download the code repo directly to your local machine without forking or a GitHub account, however, you won't be able to set up CI/CD discussed later in the tutorial.

  2. Use the git clone command to clone the forked repo into the python-container folder:

    # Django
    git clone https://github.com/$USERNAME/msdocs-python-django-azure-container-apps.git python-container
    
    # Flask
    # git clone https://github.com/$USERNAME/msdocs-python-flask-azure-container-apps.git python-container
    
  3. Change directory.

    cd python-container
    

Build a container image from web app code

After following these steps, you'll have an Azure Container Registry that contains a Docker container image built from the sample code.

  1. Create a resource group with the az group create command.

    az group create \
        --name pythoncontainer-rg \
        --location <location>
    

    <location> is one of the Azure location Name values from the output of the command az account list-locations -o table.

  2. Create a container registry with the az acr create command.

    az acr create \
        --resource-group pythoncontainer-rg \
        --name <registry-name> \
        --sku Basic \
        --admin-enabled
    

    <registry-name> must be unique within Azure, and contain 5-50 alphanumeric characters.

  3. Sign in to the registry using the az acr login command.

    az acr login --name <registry-name>
    

    The command adds "azurecr.io" to the name to create the fully qualified registry name. If successful, you'll see the message "Login Succeeded". If you're accessing the registry from a subscription different from the one in which the registry was created, use the --suffix switch.

    If sign-in fails, make sure the Docker daemon is running on your system.

  4. Build the image with the az acr build command.

    az acr build \
        --registry <registry-name> \
        --resource-group pythoncontainer-rg \
        --image pythoncontainer:latest .
    

    Note that:

    • The dot (".") at the end of the command indicates the location of the source code to build. If you aren't running this command in the sample app root directory, specify the path to the code.

    • If you're running the command in Azure Cloud Shell, use git clone to first pull the repo into the Cloud Shell environment first and change directory into the root of the project so that dot (".") is interpreted correctly.

    • If you leave out the -t (same as --image) option, the command queues a local context build without pushing it to the registry. Building without pushing can be useful to check that the image builds.

  5. Confirm the container image was created with the az acr repository list command.

    az acr repository list --name <registry-name>
    

Note

The steps in this section create a container registry in the Basic service tier. This tier is cost-optimized, with a feature set and throughput targeted for developer scenarios, and is suitable for the requirements of this tutorial. In production scenarios, you would most likely use either the Standard or Premium service tier. These tiers provide enhanced levels of storage and throughput. To learn more, see Azure Container Registry service tiers. For information about pricing, see Azure Container Registry pricing.

Create a PostgreSQL Flexible Server instance

The sample app (Django or Flask) stores restaurant review data in a PostgreSQL database. In these steps, you create the server that will contain the database.

  1. Use the az postgres flexible-server create command to create the PostgreSQL server in Azure. It isn't uncommon for this command to run for a few minutes to complete.

    az postgres flexible-server create \
       --resource-group pythoncontainer-rg \
       --name <postgres-server-name>  \
       --location <location> \
       --admin-user demoadmin \
       --admin-password <admin-password> \
       --active-directory-auth Enabled \
       --tier burstable \
       --sku-name standard_b1ms \
       --public-access 0.0.0.0 
    
    • "pythoncontainer-rg": The resource group name used in this tutorial. If you used a different name, change this value.

    • <postgres-server-name>: The PostgreSQL database server name. This name must be unique across all Azure. The server endpoint is "https://<postgres-server-name>.postgres.database.azure.com". Allowed characters are "A"-"Z", "0"-"9", and "-".

    • <location>: Use the same location used for the web app. <location> is one of the Azure location Name values from the output of the command az account list-locations -o table.

    • <admin-username>: Username for the administrator account. It can't be "azure_superuser", "admin", "administrator", "root", "guest", or "public". Use "demoadmin" for this tutorial.

    • <admin-password>: Password of the administrator user. It must contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and non-alphanumeric characters.

      Important

      When creating usernames or passwords do not use the "$" character. Later you create environment variables with these values where the "$" character has special meaning within the Linux container used to run Python apps.

    • --active-directory-auth: Specifies whether Microsoft Entra ID authentication is enabled on the PostreSQL server. Set to Enabled.

    • --sku-name: The name of the pricing tier and compute configuration, for example "Standard_B1ms". For more information, see Azure Database for PostgreSQL pricing. To list available SKUs, use az postgres flexible-server list-skus --location <location>.

    • --public-access: Use "0.0.0.0", which allows public access to the server from any Azure service, such as Container Apps.

    Note

    If you plan on working the PostgreSQL server from your local workstation with tools, you'll need to add a firewall rule for your workstation's IP address with the az postgres flexible-server firewall-rule create command.

  2. Use the az ad signed-in-user show command to get the object ID of your user account to use in the next command.

    az ad signed-in-user show --query id --output tsv
    
  3. Use the az postgres flexible-server ad-admin create command to add your user account as a Microsoft Entra administrator on the PostgreSQL server.

    az postgres flexible-server ad-admin create \
       --resource-group pythoncontainer-rg \
       --server-name <postgres-server-name>  \
       --display-name <your-email-address> \
       --object-id <your-account-object-id>
    

    For your account object ID, use the value you got in the previous step.

Note

The steps in this section create a PostgreSQL server with a single vCore and limited memory in the Burstable pricing tier. The Burstable tier is a lower cost option for workloads that don't need the full CPU continuously, and is suitable for the requirements of this tutorial. For production workloads, you might upgrade to either the General Purpose or Memory Optimized pricing tier. These tiers provide higher performance, but increase costs. To learn more, see Compute options in Azure Database for PostgreSQL - Flexible Server. For information about pricing, see Azure Database for PostgreSQL pricing.

Create a database on the server

At this point, you have a PostgreSQL server. In this section, you create a database on the server.

Use the az postgres flexible-server db create command to create a database named restaurants_reviews.

az postgres flexible-server db create \
   --resource-group pythoncontainer-rg \
   --server-name <postgres-server-name> \
   --database-name restaurants_reviews

Where:

  • "pythoncontainer-rg": The resource group name used in this tutorial. If you used a different name, change this value.
  • <postgres-server-name>: The name of the PostgreSQL server.

You could also use the az postgres flexible-server connect command to connect to the database and then work with psql commands. When working with psql, it's often easier to use the Azure Cloud Shell because all the dependencies are included for you in the shell.

You can also connect to Azure PostgreSQL Flexible server and create a database using psql or an IDE that supports PostgreSQL like Azure Data Studio. For steps using psql, see Configure the managed identity on the postgresql database.

Create a user-assigned managed identity

Create a user-assigned managed identity. This managed identity will be used as the identity for the container app when running in Azure.

Note

To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

Use the az identity create command to create a user-assigned managed identity.

az identity create --name my-ua-managed-id --resource-group pythoncontainer-rg

Configure the managed identity on the PostgreSQL database

Configure the managed identity as a role on the PostgreSQL server and then grant it necessary permissions for the restaurants_reviews database. Whether using the Azure CLI or psql, you must connect to the Azure PostgreSQL server with a user that is configured as a Microsoft Entra admin on your server instance. Only Microsoft Entra accounts configured as a PostreSQL admin can configure managed identities and other Microsoft Admin roles on your server.

  1. Get an access token for your Azure account with the az account get-access-token command. You use the access token in the following steps.

    az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken
    

    The returned token is long. Set its value in an environment variable to use in the commands in the following step:

    MY_ACCESS_TOKEN=<your-access-token>
    
  2. Add the user-assigned managed identity as database role on your PostgreSQL server with the az postgres flexible-server execute command.

    az postgres flexible-server execute \
        --name <postgres-server-name> \
        --database-name postgres \
        --querytext "select * from pgaadauth_create_principal('"my-ua-managed-id"', false, false);select * from pgaadauth_list_principals(false);" \
        --admin-user <your-Azure-account-email> \
        --admin-password $MY_ACCESS_TOKEN
    
    • If you used a different name for your managed identity, replace my-ua-managed-id in the pgaadauth_create_principal command with the name of your managed identity.

    • For the --admin-user value, use your Azure account email address.

    • For the --admin-password value, use the access token output by the previous command, unquoted.

    • Make sure the database name is postgres.

    Note

    If you're running the az postgres flexible-server execute command on your local workstation, make sure you've added a firewall rule for your workstation's IP address. You can add a rule with the az postgres flexible-server firewall-rule create command. The same requirement also exists for the command in the next step.

  3. Grant the user-assigned managed identity necessary permissions on the restaurants_reviews database with the following az postgres flexible-server execute command.

    az postgres flexible-server execute \
        --name <postgres-server-name> \
        --database-name restaurants_reviews \
        --querytext "GRANT CONNECT ON DATABASE restaurants_reviews TO \"my-ua-managed-id\";GRANT USAGE ON SCHEMA public TO \"my-ua-managed-id\";GRANT CREATE ON SCHEMA public TO \"my-ua-managed-id\";GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"my-ua-managed-id\";ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO \"my-ua-managed-id\";" \
        --admin-user <your-Azure-account-email> \
        --admin-password $MY_ACCESS_TOKEN
    
    • If you used a different name for your managed identity, replace all instances of my-ua-managed-id in the command with the name of your managed identity. There are five instances in the query string.

    • For the --admin-user value, use your Azure account email address.

    • For the --admin-password value, use the access token output previously, unquoted.

    • Make sure the database name is restaurants_reviews.

    The Azure CLI command above connects to the restaurants_reviews database on the server and issues the following SQL commands:

    GRANT CONNECT ON DATABASE restaurants_reviews TO "my-ua-managed-id";
    GRANT USAGE ON SCHEMA public TO "my-ua-managed-id";
    GRANT CREATE ON SCHEMA public TO "my-ua-managed-id";
    GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "my-ua-managed-id";
    ALTER DEFAULT PRIVILEGES IN SCHEMA public
    GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "my-ua-managed-id";
    

Deploy the web app to Container Apps

Container apps are deployed to Container Apps environments, which act as a secure boundary. In the following steps, you create the environment, a container inside the environment, and configure the container so that the website is visible externally.

These steps require the Azure Container Apps extension, containerapp.

  1. Create a Container Apps environment with the az containerapp env create command.

    az containerapp env create \
    --name python-container-env \
    --resource-group pythoncontainer-rg \
    --location <location>
    

    <location> is one of the Azure location Name values from the output of the command az account list-locations -o table.

  2. Get the sign-in credentials for the Azure Container Registry with the az acr credential show command.

    az acr credential show -n <registry-name>
    

    You use the username and one of the passwords returned from the output of the command when you create the container app in step 5.

  3. Use the az identity show command to get the client ID and resource ID of the user-assigned managed identity.

    az identity show --name my-ua-managed-id --resource-group pythoncontainer-rg --query "[clientId, id]" --output tsv
    

    You use the value of the client ID (GUID) and the resource ID output by the command when you create the container app in step 5. The resource ID has the following form: /subscriptions/<subscription-id>/resourcegroups/pythoncontainer-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-ua-managed-id

  4. Run the following command to generate a secret key value.

    python -c 'import secrets; print(secrets.token_hex())'
    

    You use the secret key value to set an environment variable when you create the container app in step 5.

    Note

    The command shown is for a bash shell. Depending on your environment, you might need to invoke python using python3. On Windows, you need to enclose the command in the -c parameter in double quotes, rather than single quotes. You also might need to invoke python using py or py -3 depending on your environment.

  5. Create a container app in the environment with the az containerapp create command.

    az containerapp create \
    --name python-container-app \
    --resource-group pythoncontainer-rg \
    --image <registry-name>.azurecr.io/pythoncontainer:latest \
    --environment python-container-env \
    --ingress external \
    --target-port <5000 for Flask or 8000 for Django> \
    --registry-server <registry-name>.azurecr.io \
    --registry-username <registry-username> \
    --registry-password <registry-password> \
    --user-assigned <managed-identity-resource-id> \
    --query properties.configuration.ingress.fqdn \
    --env-vars DBHOST="<postgres-server-name>" \
    DBNAME="restaurants_reviews" \
    DBUSER="my-ua-managed-id" \
    RUNNING_IN_PRODUCTION="1" \
    AZURE_CLIENT_ID="<managed-identity-client-id>" \
    AZURE_SECRET_KEY="<your-secret-key>"
    

    Make sure you replace all of the values in angle brackets with values you're using in this tutorial. Be aware that the name of your container app must be unique across Azure.

    The value of the --env-vars parameter is a string composed of space-separated values in the key="value" format with the following values:

    • DBHOST="<postgres-server-name>"
    • DBNAME="restaurants_reviews"
    • DBUSER="my-ua-managed-id"
    • RUNNING_IN_PRODUCTION="1"
    • AZURE_CLIENT_ID="<managed-identity-client-id>"
    • AZURE_SECRET_KEY="<your-secret-key>"

    The value for DBUSER is the name of your user-assigned managed identity.

    The value for AZURE_CLIENT_ID is the client ID of your user-assigned managed identity. You got this value in a previous step.

    The value for AZURE_SECRET_KEY is the secret key value you generated in a previous step.

  6. For Django only, migrate and create database schema. (In the Flask sample app, it's done automatically, and you can skip this step.)

    Connect with the az containerapp exec command:

        az containerapp exec \
            --name python-container-app \
            --resource-group pythoncontainer-rg
    

    Then, at the shell command prompt type python manage.py migrate.

    You don't need to migrate for revisions of the container.

  7. Test the website.

    The az containerapp create command you entered previously outputs an application URL you can use to browse to the app. The URL ends in "azurecontainerapps.io". Navigate to the URL in a browser. Alternatively, you can use the az containerapp browse command.

Here's an example of the sample website after adding a restaurant and two reviews.

Screenshot showing an example of the sample website built in this tutorial.

Troubleshoot deployment

  • You forgot the Application Url to access the website.

    • In the Azure portal, go to the Overview page of the Container App and look for the Application Url.
    • In VS Code, go to the Azure view (Ctrl+Shift+A) and expand the subscription that you're working in. Expand the Container Apps node, then expand the managed environment and right-click python-container-app and select Browse. It opens the browser with the Application Url.
    • With Azure CLI, use the command az containerapp show -g pythoncontainer-rg -n python-container-app --query properties.configuration.ingress.fqdn.
  • In VS Code, the Build Image in Azure task returns an error.

    • If you see the message "Error: failed to download context. Please check if the URL is incorrect." in the VS Code Output window, then refresh the registry in the Docker extension. To refresh, select the Docker extension, go to the Registries section, find the registry, and select it.
    • If you run the Build Image in Azure task again, check to see if your registry from a previous run exists and if so, use it.
  • In the Azure portal during the creation of a Container App, you see an access error that contains "Cannot access ACR '<name>.azurecr.io'".

    • This error occurs when admin credentials on the ACR are disabled. To check admin status in the portal, go to your Azure Container Registry, select the Access keys resource, and ensure that Admin user is enabled.
  • Your container image doesn't appear in the Azure Container Registry.

    • Check the output of the Azure CLI command or VS Code Output and look for messages to confirm success.
    • Check that the name of the registry was specified correctly in your build command with the Azure CLI or in the VS Code task prompts.
    • Make sure your credentials aren't expired. For example, in VS Code, find the target registry in the Docker extension and refresh. In Azure CLI, run az login.
  • Website returns "Bad Request (400)".

    • Check the PostgreSQL environment variables passed in to the container. The 400 error often indicates that the Python code can't connect to the PostgreSQL instance.
    • The sample code used in this tutorial checks for the existence of the container environment variable RUNNING_IN_PRODUCTION, which can be set to any value like "1".
  • Website returns "Not Found (404)".

    • Check the Application Url on the Overview page for the container. If the Application Url contains the word "internal", then ingress isn't set correctly.
    • Check the ingress of the container. For example, in Azure portal, go to the Ingress resource of the container and make sure HTTP Ingress is enabled and Accepting traffic from anywhere is selected.
  • Website doesn't start, you see "stream timeout", or nothing is returned.

    • Check the logs.
      • In the Azure portal, go to the Container App's Revision management resource and check the Provision Status of the container.
        • If "Provisioning", then wait until provisioning has completed.
        • If "Failed", then select the revision and view the console logs. Choose the order of the columns to show "Time Generated", "Stream_s", and "Log_s". Sort the logs by most-recent first and look for Python stderr and stdout messages in the "Stream_s" column. Python 'print' output will be stdout messages.
      • With the Azure CLI, use the az containerapp logs show command.
    • If using the Django framework, check to see if the restaurants_reviews tables exist in the database. If not, use a console to access the container and run python manage.py migrate.

Next step