Aqua Blog

Securing Container Workloads on Azure Container Apps (ACA)

Roi TiroshRani Osnat
February 6, 2025
Securing Container Workloads on Azure Container Apps (ACA)

Azure Container Apps (ACA) is a serverless platform for scalable containerized applications, while abstracting the underlying infrastructure. Since it runs without providing access to its underlying operating system, it has inherent security benefits, but it also presents a challenge for security and compliance tools that were not purpose-built to support such an environment. Aqua is a certified security solution for ACA – read on to see how we do it.

What is Azure Container Apps (ACA) and is it used for?

ACA is a service that enables launching and running container-based applications on Azure with no need for the user to manage the underlying virtual servers. It’s a very efficient way of running containers, combining the benefits of a serverless on-demand consumption model with standard container image-based workloads. It operates atop an abstracted operating system similar to Azure Container Instances (ACI), but unlike ACI it makes it easy to manage containerized applications as entities with a high degree of automation.

Customer adoption of ACA is growing rapidly thanks to those benefits. Additionally, ACA does not require Kubernetes expertise and is easy to use, allowing users without deep cloud native skills to accelerate application delivery, making it ideal for running modern, stateful containerized applications across multiple teams.

The Security Benefits and Risks of Azure ACA

Like all abstracted serverless container-as-a-service environments, ACA enjoys an inherently smaller attack surface thanks to its decoupling from the underlying OS, making it inaccessible to the user and to potential malicious actors alike. It would be extremely difficult for an attacker who manages to somehow infect an ACA workload to leverage that to mount reverse shell attacks, for instance, or take over the underlying host and persist in the environment.

However, other risks apply to ACA workloads much as they apply to other public cloud workloads:

  • The containers running on ACA might have known and unknown vulnerabilities, making the application they’re part of and the data they access potentially accessible to unauthorized parties.
  • If exposed to the internet, ACA containers can be used as a point of infiltration which might then be leveraged for network traversal, credential theft, or other malicious outcomes.
  • Unless protected against such occurrences, containers might be susceptible to code injection and drift during runtime.
  • ACA containers are based on standard OCI-compliant images and are vulnerable to supply chain attacks that can either infect existing images with malware, or spoof new ones that would be unwittingly deployed into ACA.

While using ACA reduces the risk of having your Azure cloud infrastructure breached, at the application and workload layers its risk profile is not very different from other container-based architectures, something that customers should be aware of under the share responsibility model for cloud.

How Aqua protects workloads on Azure Container Apps

As we do across all platforms, with ACA we take a full-lifecycle approach to security – starting with securing the supply chain and build pipeline, and continuing with real-time runtime protection that is purpose-built for this environment.

Supply Chain Security

Aqua strengthens supply chain security by scanning container images for tampering and identifying potential supply chain attacks. It ensures that only verified and secure container images are deployed, safeguarding ACA environments from threats introduced during the build or deployment phases.

Comprehensive Image Scanning

Aqua scans container images in Azure Container Registry (ACR) and across CI/CD pipelines to identify vulnerabilities, misconfigurations, malware, and embedded secrets. This enables developers to fix issues early, before they are pushed down the pipeline.

Image Assurance Policies

Aqua enforces Assurance Policies to ensure that only compliant container images are deployed onto ACA. These policies evaluate images against a set of customizable controls, such as blocking images with critical vulnerabilities, enforcing the use of approved base images, and detecting embedded sensitive data. By identifying running non-compliant images  Aqua minimizes risks and ensures that ACA workloads adhere to your organization’s security and compliance standards.

Image Assurance Policy ensuring compliant container images for ACA.

Image Assurance Policy ensuring compliant container images for ACA.

Agentless Discovery and Scanning

Users can automatically onboard Azure accounts, and have Aqua discover all running services and assets, scanning them agentlessly for vulnerabilities and other issues (by default this is repeated every 24 hours). This provides broad visibility into all workloads including ACA, and is further augmented by the Aqua Micro Enforcer (see next).

Runtime Protection with Aqua Micro Enforcer

Aqua deploys the Micro Enforcer, a lightweight agent that provides non-invasive runtime security for ACA workloads, purpose-built for serverless container services such as ACA.

  • Deployment options: Aqua Micro Enforcer can be deployed as a sidecar to ACA containers, or embedded into the ACA container image in the pipeline. Both methods offer the same level of protection, and using one over the other depends on user preference and ease of automation in CI/CD vs. ACA.
Deployment of two Micro Enforcers securing ACA workloads.

Deployment of two Micro Enforcers securing ACA workloads.

  • Runtime controls: Aqua Micro Enforcer detects and prevents multiple threats and behaviors, such as cryptocurrency mining, reverse shell execution, fileless execution, and container drift.
Configuration of the Container Runtime Policy for MicroEnforcer protection in ACA

Configuration of the Container Runtime Policy for MicroEnforcer protection in ACA

Real-time detection of Block Cryptocurrency Mining and Brute Force attack in an ACA environment.

Real-time detection of Block Cryptocurrency Mining and Brute Force attack in an ACA environment.

By leveraging Aqua’s security solutions for ACA, organizations can confidently run containerized workloads on Azure, maximizing productivity while maintaining a strong security posture across the entire lifecycle.

ACA Security as part of a broader CNAPP approach

Users of ACA should enjoy the same level of security and governance they get when running other cloud services, with no compromise on coverage, quality of defense, or speed.

With Aqua’s code commit-to-runtime approach, ACA users get full lifecycle protection certified for ACA, while ensuring consistent policies and controls across other types of Azure workloads – including VMs, AKS, ACI and functions – or even across multiple public and private clouds.

Azure Container Apps are expanding in use due to the benefits they provide, but are seldom used in isolation from other workloads and cloud services. Adopting a holistic approach to managing risk, vulnerabilities, and runtime protection such as Aqua’s CNAPP provides is key, but with Aqua’s purpose-built approach to protecting ACA, customers will not leave gaps when it comes to running serverless containers on Azure.

 

Published under: CONTAINER SECURITY

Tags: ,

Roi Tirosh
Roi is a Senior Product Manager at Aqua Security, driving innovation in cloud-native security and networking. With a founder’s mindset and a background in economics, he builds end-to-end security solutions with tangible revenue impact, mitigating risk while fueling business growth. Having successfully exited a startup, Roi understands how to align security, scalability, and market needs, ensuring security solutions drive business expansion and revenue growth.
Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links