DEV_NET_CORE
GET_STARTED
AzureAzure compute choices and hosting models

Trade-offs among simplicity, portability, autoscaling, and operational control

Overview

Azure compute selection is a trade-off among simplicity, portability, autoscaling, and operational control. No hosting model maximizes all four. A highly managed platform reduces infrastructure work by imposing conventions and hiding lower-level controls. A lower-level platform exposes more control and potentially more portability, but the team must operate more of the runtime, networking, security, scaling, and upgrade system.

The major general-purpose choices include:

  • Azure App Service.
  • Azure Functions.
  • Azure Container Apps.
  • Azure Kubernetes Service.
  • Azure Container Instances.
  • Azure Virtual Machines and Virtual Machine Scale Sets.

These services overlap, but they optimize for different application shapes and team capabilities:

  • App Service is optimized for managed web applications and APIs.
  • Functions is optimized for event-driven functions and the Functions programming model.
  • Container Apps is optimized for managed serverless containers, microservices, APIs, workers, and jobs.
  • AKS is optimized for Kubernetes workloads requiring direct Kubernetes control.
  • Container Instances is a lower-level way to run an isolated container group without a full application platform.
  • Virtual machines provide operating-system and machine-level control.

The right choice starts with workload requirements, not a preferred technology. Important questions include:

  • Is the application primarily an HTTP web application?
  • Does the workload fit an event-triggered function model?
  • Is a container required?
  • Does the team need direct Kubernetes APIs?
  • Can the workload be stateless?
  • What latency is acceptable after idle periods?
  • Which event or traffic signal should drive scale?
  • What networking and security controls are mandatory?
  • Does the team need Windows, special drivers, or privileged host access?
  • How steady or bursty is demand?
  • What operational skills and support model exist?
  • Which dependencies create more lock-in than the compute service?

For interviews, a strong answer should not simply rank services from "easy" to "advanced." It should identify the required capabilities, explain the cost of each abstraction, distinguish image portability from whole-system portability, and show how scaling and operational responsibility change across services.

Core Concepts

Start with Workload Characteristics

Describe the workload before selecting a service:

  • Request-driven, event-driven, scheduled, or continuously running.
  • Stateless or stateful.
  • Short-lived or long-running.
  • Single web application or many independently deployed services.
  • Steady, predictable, bursty, or mostly idle demand.
  • Latency, throughput, availability, and recovery objectives.
  • CPU, memory, GPU, storage, and operating-system requirements.
  • Public, private, hybrid, and outbound networking requirements.
  • Security, compliance, and isolation constraints.
  • Deployment frequency and team ownership.

A complete solution can use several compute services. For example, App Service can host a customer web application, Functions can process occasional events, and Container Apps can host a containerized worker that needs custom native dependencies.

Simplicity Is Total Operational Simplicity

Simplicity is not just the number of commands required for the first deployment. Evaluate the entire lifecycle:

  • Local development.
  • Build and artifact production.
  • Deployment and rollback.
  • Identity and secret rotation.
  • Networking and DNS.
  • Scaling and capacity.
  • Patching and upgrades.
  • Observability and incident response.
  • Backup and disaster recovery.
  • Cost allocation.
  • Decommissioning.

A platform can be easy to deploy but difficult to operate if the team lacks observability, ownership, or compatible application design.

The Abstraction Ladder

A useful simplified spectrum is:

Code
More platform management and conventions

Azure Functions
App Service
Azure Container Apps
AKS Automatic
AKS Standard
Virtual Machines

More infrastructure control and operational responsibility

This is not an absolute ranking for every feature. For example, App Service and Container Apps offer different abstractions rather than one being universally higher-level. AKS Automatic manages more common cluster operations than AKS Standard while still exposing Kubernetes APIs.

Platform Responsibility Versus Team Responsibility

ServicePlatform managesTeam primarily manages
FunctionsHost infrastructure, trigger integration, plan scalingFunctions, bindings, configuration, concurrency, dependencies
App ServiceWeb host, OS patching, load balancing, plan infrastructureApp, plan sizing, deployment, configuration, app scaling
Container AppsOrchestration, ingress, revisions, replica placement, KEDA integrationImages, rules, resource limits, app behavior, dependencies
AKSManaged control plane and selected managed featuresKubernetes resources, workload platform, nodes and policies depending on mode
Container InstancesContainer-group infrastructureOrchestration, scaling, routing, lifecycle coordination
Virtual MachinesPhysical infrastructure and Azure fabricOS, runtime, patching, processes, scaling design, most host configuration

Choose the lowest level only when the extra control has concrete value.

Portability Is a Spectrum

Portability can refer to several different things:

  • Source portability: Can the code run elsewhere?
  • Artifact portability: Can the same container image run elsewhere?
  • Configuration portability: Can deployment configuration move?
  • Data portability: Can data be exported and migrated safely?
  • Operational portability: Can alerts, dashboards, runbooks, and support practices move?
  • Skills portability: Are the required skills available across environments?

A portable image does not make the system portable if it depends on Azure identities, Key Vault references, Service Bus, private DNS, Azure Monitor queries, Front Door, and provider-specific deployment APIs.

Containers Improve Artifact Portability

Container images package the operating user space, application runtime, and dependencies. This reduces differences between development, testing, and production and can ease movement among Container Apps, AKS, other Kubernetes platforms, or container runtimes.

Containers do not package:

  • Managed identities and role assignments.
  • Network topology and private endpoints.
  • Certificates and DNS.
  • External databases and brokers.
  • Autoscaling rules.
  • Managed ingress behavior.
  • Regional availability and quotas.
  • Monitoring and alerting.

Treat container portability as useful risk reduction, not proof of zero migration cost.

Programming-Model Lock-In

Azure Functions uses triggers, bindings, host conventions, and plan-specific behavior. These can significantly reduce code and operations for event-driven workloads, but they create a stronger platform programming-model dependency than a plain HTTP or worker container.

Dapr can provide a portable API layer for pub/sub, state, secrets, or service invocation, but it introduces a Dapr dependency. Kubernetes manifests are portable across Kubernetes distributions in principle, but cloud load balancers, storage classes, identities, policy engines, and managed add-ons often remain provider-specific.

The correct question is not "Is there lock-in?" The useful questions are:

  • What is locked in?
  • How likely is migration?
  • What business event would trigger migration?
  • What value does the managed capability provide now?
  • What would replacement cost?

Autoscaling Is a Control System

Autoscaling requires:

  • A demand signal.
  • A threshold or target.
  • A unit of scale.
  • Minimum and maximum capacity.
  • Detection and startup time.
  • Scale-in behavior.
  • Protection for downstream systems.

Different platforms scale different units:

  • Functions scales host instances according to plan and trigger behavior.
  • App Service scales worker instances in the App Service plan.
  • Container Apps scales replicas and, for Dedicated profiles, the underlying profile capacity.
  • AKS can scale pods and cluster nodes separately.
  • VM Scale Sets scale virtual machines.

Understanding the unit of scale prevents incorrect capacity and cost assumptions.

Scaling Signal Must Match Work

Choose a signal that represents demand:

  • HTTP concurrency for request-driven APIs.
  • Queue depth and oldest-message age for consumers.
  • Event Hub lag for stream processors.
  • CPU for CPU-bound work with always-running replicas.
  • Memory for memory pressure, with caution.
  • Schedule or manual execution for finite jobs.

CPU is often a poor signal for I/O-bound services. A queue worker can have low CPU while backlog grows. CPU and memory also cannot activate a zero-replica workload without an external signal.

Scale to Zero

Scale to zero reduces idle compute cost but introduces startup latency and a dependency on correct trigger detection. It fits:

  • Sporadic development or internal workloads.
  • Event processors tolerant of startup delay.
  • Batch jobs.
  • APIs without strict first-request latency.

Keep warm capacity for:

  • Latency-sensitive APIs.
  • Workloads with large images or expensive initialization.
  • Consumers with strict backlog objectives.
  • Services whose first activation depends on slow private resources.

Cost optimization must respect the service-level objective.

Autoscaling Does Not Create Dependency Capacity

The application may scale faster than:

  • A relational database.
  • A partner API.
  • A legacy system.
  • A broker partition count.
  • A subnet or SNAT design.
  • A licensed downstream product.

Set maximum scale and concurrency from end-to-end capacity testing. Add queues, admission control, circuit breakers, rate limits, and backpressure where appropriate.

Operational Control

Operational control includes:

  • Operating-system and kernel settings.
  • Runtime and process model.
  • Container privileges.
  • Node pools and machine types.
  • Scheduler and placement policy.
  • Network plugins and ingress controllers.
  • Storage drivers.
  • Admission policy.
  • Service mesh.
  • Upgrade timing.
  • Daemon-level agents.
  • Custom controllers and operators.

Container Apps deliberately hides most cluster controls. AKS exposes Kubernetes controls. Virtual machines expose the operating system. Extra control is justified only when a requirement depends on it and the team can operate it safely.

Control Has a Carrying Cost

Every controlled layer requires:

  • Configuration standards.
  • Security hardening.
  • Patching and upgrades.
  • Monitoring.
  • Capacity planning.
  • Incident knowledge.
  • On-call ownership.
  • Testing of platform changes.

Control that is never exercised still creates maintenance responsibility. Prefer managed defaults when they satisfy the workload.

Azure App Service

App Service is often the simplest choice for conventional web applications and APIs. It provides:

  • Managed web hosting.
  • Code or container deployment.
  • Deployment slots.
  • Built-in TLS, domains, authentication, and diagnostics.
  • App Service plan scale-up and scale-out.
  • VNet integration.

Choose it when the application is primarily a web app and does not require event-driven replica scaling, arbitrary sidecars, job executions, or Kubernetes-style microservice capabilities.

Trade-offs:

  • Strong web-hosting simplicity.
  • Less artifact portability for code deployments; more for container deployments.
  • Scaling is based on App Service plan workers rather than independently scaled Container Apps replicas.
  • Less orchestration control than AKS.

Azure Functions

Functions is often the simplest option for event-driven units of code. Triggers and bindings reduce integration plumbing, and serverless plans can scale automatically.

Choose it when:

  • The trigger and binding model matches the workload.
  • Functions lifecycle and timeout behavior are acceptable.
  • The team values minimal host management.
  • Individual functions or durable orchestrations are the right programming model.

Trade-offs:

  • Very low infrastructure overhead.
  • Stronger programming-model dependency.
  • Scale, concurrency, cold starts, networking, and plan features vary by hosting option.
  • Arbitrary server behavior and process control are not the primary model.

Azure Container Apps

Container Apps is a middle ground for general-purpose containers. It offers:

  • Managed ingress and service discovery.
  • Revisions and traffic splitting.
  • KEDA-based scaling.
  • Apps and jobs.
  • Workload profiles.
  • Optional Dapr.
  • No direct Kubernetes API.

Choose it when the team wants container flexibility and independent service scaling without cluster operations.

Trade-offs:

  • More portable application artifacts than code-only PaaS.
  • More application configuration than App Service or Functions.
  • Less infrastructure control than AKS.
  • Platform-specific environment, revision, ingress, identity, and scaling configuration remains.

Azure Kubernetes Service

AKS is appropriate when Kubernetes itself is a requirement or platform:

  • Direct Kubernetes API access.
  • Custom resource definitions and operators.
  • Custom admission policy.
  • Specialized scheduling.
  • Advanced service mesh or networking.
  • Daemon sets and node-level agents.
  • Shared Kubernetes platform across many teams.

AKS Automatic reduces common operational work, while AKS Standard provides greater configuration responsibility and control.

Trade-offs:

  • Broad workload and ecosystem flexibility.
  • Kubernetes configuration can be portable across clusters.
  • Cloud integrations and operations remain provider-specific.
  • Requires platform engineering, upgrades, security, policy, capacity, and incident ownership.

Azure Container Instances

Container Instances runs an isolated container group without a full orchestration platform. It can fit:

  • One-off container execution.
  • A simple burst task.
  • A building block used by another orchestrator.
  • Workloads that do not need managed revisions, autoscaling, load balancing, or certificates.

It is not a direct substitute for Container Apps when application lifecycle and automatic scale are required.

Virtual Machines

Virtual machines are appropriate when the workload requires:

  • Full operating-system access.
  • Unsupported or legacy software.
  • Custom kernel or driver behavior.
  • Windows capabilities unavailable in the selected PaaS.
  • Specialized agents.
  • A lift-and-shift migration with limited application change.

Trade-offs:

  • Maximum machine-level control.
  • Familiar portability for traditional workloads.
  • Highest responsibility for patching, hardening, runtime installation, process supervision, scaling, and recovery.

Comparison Matrix

CriterionApp ServiceFunctionsContainer AppsAKSVirtual Machines
Primary abstractionWeb app/APIFunctionContainer app/jobKubernetes workloadMachine
Initial simplicityHighVery high for fitting eventsHigh for containersMedium to lowLow
Direct Kubernetes APINoNoNoYesOnly if self-installed
Scale to zeroNot the normal dedicated-plan modelPlan-dependentSupported for compatible profiles and rulesPossible with design constraintsRequires custom orchestration
Artifact portabilityMedium with containersLow to mediumHigh for image, lower for platform configHigh for image and many manifestsMachine/image dependent
Operational controlLowLowMedium-lowHighVery high
Operational overheadLowVery low to lowLowMedium to highHigh
Best fitManaged web hostingEvent-driven codeManaged cloud-native containersKubernetes platform needsOS-level requirements

This table is a starting point. Networking, regions, quotas, pricing, compliance, and exact plan features must be verified for the actual design.

Cost Model Matters

Different services charge for different units:

  • App Service plans charge for allocated worker capacity.
  • Functions cost depends on hosting plan, executions, resource use, and warm capacity.
  • Container Apps Consumption charges for active and idle resource use according to current pricing; Dedicated charges for profile instances plus applicable management costs.
  • AKS cost includes cluster tier, nodes, disks, load balancers, observability, and platform operations.
  • Virtual machines charge for allocated machines and associated resources.

Compare total cost at realistic load:

  • Baseline and peak compute.
  • Idle time.
  • Startup requirements.
  • Log ingestion.
  • Network egress and gateways.
  • Registry and image scanning.
  • Platform engineering and on-call labor.
  • Required redundancy and disaster recovery.

The cheapest compute line item can produce the most expensive operating model.

Networking and Security Can Decide the Platform

Confirm:

  • Public, internal, and private ingress.
  • VNet integration.
  • Private endpoints.
  • Fixed outbound IP requirements.
  • Hybrid connectivity.
  • Firewall and user-defined routing.
  • Mutual TLS.
  • Web application firewall.
  • Network policy and pod-level controls.
  • Compliance isolation.

If a required network feature is unavailable or requires an unsuitable architecture, compute simplicity elsewhere does not compensate.

Availability and Multiregion Design

The listed application platforms are regional. Multiregion availability generally requires:

  • A deployment in each region.
  • Replicated or partitioned data.
  • A global routing service.
  • Health-based failover.
  • Tested recovery and consistency behavior.

Autoscaling within one region is not disaster recovery. Service selection should account for how environments, clusters, plans, or virtual machines will be reproduced and operated across regions.

Team Capability Is a Requirement

Consider:

  • Who patches and upgrades the platform?
  • Who owns networking and policy?
  • Who diagnoses scaling and scheduling incidents?
  • Who supports the system outside business hours?
  • Can product teams safely deploy without a specialist?
  • Is a platform team funded for AKS or VM operations?

A theoretically flexible platform can reduce delivery speed and reliability when the organization cannot operate it.

Avoid Architecture by Resume

Do not choose AKS because it is considered more advanced, Functions because it is called serverless, or containers because they appear modern. Choose the simplest service that:

  • Meets current mandatory requirements.
  • Has a credible path for likely growth.
  • Fits team skills and support.
  • Provides acceptable cost and reliability.
  • Avoids unnecessary irreversible commitments.

Hybrid Compute Is Often Correct

Different components can use different services:

Code
Azure Front Door
  |
App Service web application
  |
Service Bus
  |--------------------------|
Azure Functions              Container Apps worker
simple notification          native-library processing

Standardize identity, telemetry, deployment, naming, and ownership across services so a mixed architecture does not become operationally fragmented.

Reversibility and Exit Strategy

For significant decisions:

  • Keep business logic separate from host-specific adapters.
  • Define infrastructure as code.
  • Use open protocols and explicit contracts.
  • Keep data export and migration tested.
  • Avoid provider-specific abstractions where they add little value.
  • Use managed capabilities freely where their value exceeds migration risk.
  • Record the decision and migration triggers in an ADR.

Do not pay a permanent complexity tax for a hypothetical migration with no business driver.

A Practical Decision Process

  1. Define required capabilities and service-level objectives.
  2. Eliminate services that cannot meet mandatory runtime, network, security, or compliance needs.
  3. Identify the simplest remaining candidate.
  4. Model scaling and downstream capacity.
  5. Estimate total cost at baseline and peak load.
  6. Evaluate team operations and on-call responsibilities.
  7. Prototype the highest-risk assumption.
  8. Record the decision, trade-offs, and review triggers.
  9. Load test and rehearse failure before production.

Common Mistakes

  • Choosing a platform before describing the workload.
  • Treating container images as whole-system portability.
  • Assuming serverless means no operations.
  • Selecting AKS without a Kubernetes-specific requirement.
  • Using Functions for a process that fights the function lifecycle.
  • Using VMs for a web app that fits managed hosting.
  • Setting autoscaling without downstream limits.
  • Optimizing scale to zero while violating latency objectives.
  • Comparing only compute price.
  • Ignoring networking until deployment.
  • Assuming one compute service must host every component.
  • Building abstractions for a migration that has no plausible trigger.
  • Underestimating the staffing needed for platform control.

Practical Best Practices

  • Start from workload and team requirements.
  • Prefer the highest useful managed abstraction.
  • Treat portability as several separate concerns.
  • Match scaling signals to demand.
  • Bound scale by dependency capacity.
  • Include cold starts and scale lag in latency design.
  • Count platform engineering and incident response in cost.
  • Verify regional features, quotas, limits, and SLA requirements.
  • Use mixed compute models when component needs differ.
  • Keep hosting-specific code at clear boundaries.
  • Test the hardest assumption before committing.
  • Revisit the decision when requirements or evidence change.

Interview Practice

Beginner4 questions

Beginner Interview Practice

Practice the beginner questions for this topic.

Intermediate4 questions

Intermediate Interview Practice

Practice the intermediate questions for this topic.

Advanced4 questions

Advanced Interview Practice

Practice the advanced questions for this topic.

PreviousAzure Functions Hosting Options and Current Scale GuidanceNext UpBindings, connection configuration, dependency injection, logging, and local development