AI-200 Develop containerized solutions on Azure
Develop containerized solutions on Azure
Detailed list of AI-200 knowledge points
Develop containerized solutions on Azure Detailed Explanation
Build a Container Image for an Azure AI API
Microscopic technical focus: Dockerfile runtime selection, dependency installation, exposed port, and container startup validation
Exam Radar
Core Priority: This topic belongs to "Develop containerized solutions on Azure" and focuses on the working object behind the service name: container image.
High Frequency: Expect scenarios where the image builds locally but the cloud runtime exits before the AI endpoint becomes reachable. The best answer follows the failing runtime object, not the most visible Azure resource.
Confusion Alert: Resource existence does not prove runtime success. The exam often describes a deployed service while base image, Python dependencies, startup command, exposed port, and registry tag is still wrong for the path the application actually uses.
Scenario Logic: Read the stem as a chain: caller, configuration, credential, endpoint, service object, response, and telemetry. The useful clue is the first link where the chain can be observed.
Version Delta: AI-200 is beta. Stable Azure CLI patterns are included where useful; REST examples are rehearsal patterns and should be checked against current Microsoft Learn API documentation before live use.
Failure Trigger: The failure appears when base image, Python dependencies, startup command, exposed port, and registry tag does not match the workload execution path.
Operational Dependency: The workload depends on base image, Python dependencies, startup command, exposed port, and registry tag. If that dependency is wrong, a correct-looking architecture still fails.
How the Exam Asks It: Expect wording such as first step, best way to verify, least privilege, minimal change, troubleshoot, or which configuration resolves the symptom.
How Distractors Are Designed: Wrong answers are often useful actions in the wrong order: rebuilds before state checks, scaling before backlog evidence, broader permissions before identity proof, or prompt tuning before retrieval evidence.
Why the Correct Answer Works: The right answer proves the next required condition in the workflow: base image, Python dependencies, startup command, exposed port, and registry tag. It narrows the problem instead of making a broad platform change.
Practice Question: A team is preparing an Azure AI workload and finds that the image builds locally but the cloud runtime exits before the AI endpoint becomes reachable. Which action should the developer take first?
A. verify the pushed image tag, runtime command, dependency layer, and application listening port before changing Azure hosting settings.
B. Run the image locally with the same environment variables and compare the startup logs.
C. Rebuild the image with a new tag and redeploy the container app.
D. Increase the Container Apps startup probe timeout before checking the process command.
Correct Answer: A
Explanation: A is correct because it checks the dependency that controls this workflow: base image, Python dependencies, startup command, exposed port, and registry tag. B, C, and D are not random mistakes; each could help in a different incident. In this scenario they are weaker because they act before the evidence from container image has confirmed the actual failing link.
Atomic Deconstruction - Operational Level
A container image is the packaged runtime for the AI API: operating system layer, Python runtime, installed packages, application files, and startup command. Azure runs that image, not the project folder on the developer's machine.
Build success is only the first checkpoint. The image can build cleanly but still fail in Azure if the app listens on the wrong port, misses a native dependency, or starts with a command that exits after import.
For hands-on study, begin with container image: how it is named, how the app reaches it, and which field or status proves it is usable.
That order prevents cargo-cult troubleshooting. The command matters because it explains the symptom, not because it is a line to memorize.
Component Specifications
| Object | Attribute | Value Range | Default State | Dependency | Failure State |
|---|---|---|---|---|---|
| Dockerfile base image | Runtime layer | Python image, distro image, approved enterprise base | Undefined until FROM is declared |
Native libraries and Python package compatibility | Image builds but app crashes on import or startup |
| Application listener | Bind address and port | 0.0.0.0 plus configured port | Framework default may differ | Container Apps target port and health probe | Ingress cannot route to the process |
| Hosting configuration | Ingress, traffic weight, replica bounds, or VNet setting | Enabled, disabled, internal, external, 0-100 traffic | Platform default unless explicit | Container app environment and revision template | Healthy resource still fails user traffic or dependency calls |
| Pull and network access | AcrPull, DNS, firewall, private endpoint, subnet route | Role assignment and route dependent | No proof until runtime access is tested | Managed identity and environment networking | Image pull failure, timeout, or endpoint resolution failure |
| Operational evidence | Revision state, log stream, queue metric, DNS test, or traffic split | Service-specific status output | Sparse until checked | Azure CLI, portal status, and diagnostics | Troubleshooting changes code without proving platform state |
Step-by-Step Execution Path
Start from the symptom and write the object name the application is actually using. For this topic, that object is container image; find it in configuration, deployment output, SDK client construction, message metadata, or the Azure portal resource blade.
Validate the Azure-side state. Command type: official Azure CLI verification pattern.
az acr repository show-tags --name ai200registry --repository ai-api --query "[0:5]"
Command note: This command is written as an official Azure CLI verification pattern. Confirm installed extension versions and optional JMESPath fields in the active lab environment.
Expected checkpoint: the output shows the intended container image and the service-specific attributes connected to base image, Python dependencies, startup command, exposed port, and registry tag.
- Validate the service behavior from the request side. Command type: REST/API rehearsal; confirm the active API version and authorization method before production use.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/rg-ai200/providers/Microsoft.ContainerRegistry/registries/ai200registry/repositories/ai-api/tags?api-version=2023-01-01-preview
Authorization: Bearer <access-token>
Content-Type: application/json
Expected checkpoint: the status code and body distinguish name mismatch, authorization failure, request schema failure, throttling, and service-side processing errors.
Check the evidence source that belongs to this service: revision status for Container Apps, indexer status for AI Search, request charge for Cosmos DB, queue counts for Service Bus, delivery metrics for Event Grid, or operation-id telemetry for Application Insights.
Change only the broken dependency and repeat the same observation. The original failure should disappear because the inspected state changed, not because unrelated configuration drift masked the symptom.
Technical Chain
The workload reaches Azure Container Registry and container runtime by reading configuration, choosing credentials, resolving the endpoint, and sending a request to container image. The service then checks authorization, object state, and request shape before it returns data or rejects the operation.
When base image, Python dependencies, startup command, exposed port, and registry tag is wrong, the failure often appears one layer later as a timeout, 401/403, 404, 400, stale result, retry storm, or generic application exception. The exam answer is strongest when it names the earliest observable link and uses that evidence to decide the next action.
Operational Skills Matrix
| Task | Precise Command or Path | Verification Standard |
|---|---|---|
| Inspect container image | Run the Step 2 Azure CLI verification command | Output exposes the service state related to base image, Python dependencies, startup command, exposed port, and registry tag |
| Confirm service/API behavior | Run the Step 3 REST/API rehearsal request | Response code and body distinguish endpoint, authorization, object, and request-shape failures |
| Check authorization scope | az role assignment list --assignee <principalId> --all --query "[].{role:roleDefinitionName,scope:scope}" |
Role scope is narrow enough and sufficient for the runtime path |
| Find application evidence | Application Insights > Transaction search > filter by operation id | Telemetry shows whether the dependency call happened and how it ended |
| Re-test original symptom | Repeat the original user action, queue message, event delivery, or API call | The same observable failure is gone after the targeted correction |
Push and Reference Images from Azure Container Registry
Microscopic technical focus: Registry login, repository tag selection, image pull identity, and image digest validation
Exam Radar
Core Priority: This topic belongs to "Develop containerized solutions on Azure" and focuses on the working object behind the service name: image repository tag.
High Frequency: A likely stem describes the deployment references an old or inaccessible image tag. The exam rewards evidence from image repository tag, not broad configuration changes.
Confusion Alert: Resource existence does not prove runtime success. The exam often describes a deployed service while registry identity, repository permissions, tag naming, and pull authorization is still wrong for the path the application actually uses.
Scenario Logic: Read the stem as a chain: caller, configuration, credential, endpoint, service object, response, and telemetry. The useful clue is the first link where the chain can be observed.
Version Delta: AI-200 is beta. Stable Azure CLI patterns are included where useful; REST examples are rehearsal patterns and should be checked against current Microsoft Learn API documentation before live use.
Failure Trigger: The failure appears when registry identity, repository permissions, tag naming, and pull authorization does not match the workload execution path.
Operational Dependency: The workload depends on registry identity, repository permissions, tag naming, and pull authorization. If that dependency is wrong, a correct-looking architecture still fails.
How the Exam Asks It: Expect wording such as first step, best way to verify, least privilege, minimal change, troubleshoot, or which configuration resolves the symptom.
How Distractors Are Designed: Wrong answers are often useful actions in the wrong order: rebuilds before state checks, scaling before backlog evidence, broader permissions before identity proof, or prompt tuning before retrieval evidence.
Why the Correct Answer Works: The right answer proves the next required condition in the workflow: registry identity, repository permissions, tag naming, and pull authorization. It narrows the problem instead of making a broad platform change.
Practice Question: During production troubleshooting, the application shows this symptom: the deployment references an old or inaccessible image tag. Which action should the developer take first?
A. inspect the repository tag and digest, then validate that the hosting service identity can pull that exact image.
B. Push a new image with the same tag and restart the active revision.
C. Assign AcrPull to the hosting identity without checking which digest the revision uses.
D. Switch the deployment to a semantic version tag instead of a build-id tag.
Correct Answer: A
Explanation: A is correct because it checks the dependency that controls this workflow: registry identity, repository permissions, tag naming, and pull authorization. B, C, and D are not random mistakes; each could help in a different incident. In this scenario they are weaker because they act before the evidence from image repository tag has confirmed the actual failing link.
Atomic Deconstruction - Operational Level
An ACR tag is a readable label such as v1 or prod; a digest is the immutable content hash for the image manifest. Tags are convenient for humans, while digests prove the exact image content that was pulled.
This distinction is exam-relevant because a deployment can reference a familiar tag while the active revision still runs an older digest. When behavior does not match the expected code, verify tag and digest before changing application logic.
A practical learner should turn this topic into three questions: what selects image repository tag, what permission or route lets the app use it, and what evidence shows the call succeeded.
This sequence also keeps the learner from jumping to expensive fixes such as scaling, redeploying, or broadening permissions before the failed condition is known.
Component Specifications
| Object | Attribute | Value Range | Default State | Dependency | Failure State |
|---|---|---|---|---|---|
| Image tag | Mutable label | v1, prod, build id, git SHA | Can move to a different digest | Push pipeline and deployment reference | Revision runs unexpected image content |
| Image digest | Immutable manifest hash | sha256 value | Generated on push | Registry manifest and layer set | Troubleshooting cannot prove which image actually ran |
| Hosting configuration | Ingress, traffic weight, replica bounds, or VNet setting | Enabled, disabled, internal, external, 0-100 traffic | Platform default unless explicit | Container app environment and revision template | Healthy resource still fails user traffic or dependency calls |
| Pull and network access | AcrPull, DNS, firewall, private endpoint, subnet route | Role assignment and route dependent | No proof until runtime access is tested | Managed identity and environment networking | Image pull failure, timeout, or endpoint resolution failure |
| Operational evidence | Revision state, log stream, queue metric, DNS test, or traffic split | Service-specific status output | Sparse until checked | Azure CLI, portal status, and diagnostics | Troubleshooting changes code without proving platform state |
Step-by-Step Execution Path
Start from the symptom and write the object name the application is actually using. For this topic, that object is image repository tag; find it in configuration, deployment output, SDK client construction, message metadata, or the Azure portal resource blade.
Validate the Azure-side state. Command type: official Azure CLI verification pattern.
az acr repository show --name ai200registry --image ai-api:v1 --query "{digest:digest,createdTime:createdTime}"
Command note: This command is written as an official Azure CLI verification pattern. Confirm installed extension versions and optional JMESPath fields in the active lab environment.
Expected checkpoint: the output shows the intended image repository tag and the service-specific attributes connected to registry identity, repository permissions, tag naming, and pull authorization.
- Validate the service behavior from the request side. Command type: REST/API rehearsal; confirm the active API version and authorization method before production use.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/rg-ai200/providers/Microsoft.ContainerRegistry/registries/ai200registry?api-version=2023-01-01-preview
Authorization: Bearer <access-token>
Content-Type: application/json
Expected checkpoint: the status code and body distinguish name mismatch, authorization failure, request schema failure, throttling, and service-side processing errors.
Check the evidence source that belongs to this service: revision status for Container Apps, indexer status for AI Search, request charge for Cosmos DB, queue counts for Service Bus, delivery metrics for Event Grid, or operation-id telemetry for Application Insights.
Change only the broken dependency and repeat the same observation. The original failure should disappear because the inspected state changed, not because unrelated configuration drift masked the symptom.
Technical Chain
At runtime, code does not consume a service name; it consumes a configured object. For Azure Container Registry, the request has to reach image repository tag, pass access checks, match the expected contract, and leave evidence in logs or status output.
When registry identity, repository permissions, tag naming, and pull authorization is wrong, the failure often appears one layer later as a timeout, 401/403, 404, 400, stale result, retry storm, or generic application exception. The exam answer is strongest when it names the earliest observable link and uses that evidence to decide the next action.
Operational Skills Matrix
| Task | Precise Command or Path | Verification Standard |
|---|---|---|
| Inspect image repository tag | Run the Step 2 Azure CLI verification command | Output exposes the service state related to registry identity, repository permissions, tag naming, and pull authorization |
| Confirm service/API behavior | Run the Step 3 REST/API rehearsal request | Response code and body distinguish endpoint, authorization, object, and request-shape failures |
| Check authorization scope | az role assignment list --assignee <principalId> --all --query "[].{role:roleDefinitionName,scope:scope}" |
Role scope is narrow enough and sufficient for the runtime path |
| Find application evidence | Application Insights > Transaction search > filter by operation id | Telemetry shows whether the dependency call happened and how it ended |
| Re-test original symptom | Repeat the original user action, queue message, event delivery, or API call | The same observable failure is gone after the targeted correction |
Deploy an AI API to Azure Container Apps
Microscopic technical focus: Container app template, ingress target port, environment variables, and active revision routing
Exam Radar
Core Priority: This topic belongs to "Develop containerized solutions on Azure" and focuses on the working object behind the service name: container app revision.
High Frequency: When the stem says the container app exists but user traffic reaches an inactive or unhealthy revision, read it as an object-state problem first and a platform-change problem second.
Confusion Alert: Resource existence does not prove runtime success. The exam often describes a deployed service while revision activation, ingress configuration, target port, environment variables, and health probe is still wrong for the path the application actually uses.
Scenario Logic: Read the stem as a chain: caller, configuration, credential, endpoint, service object, response, and telemetry. The useful clue is the first link where the chain can be observed.
Version Delta: AI-200 is beta. Stable Azure CLI patterns are included where useful; REST examples are rehearsal patterns and should be checked against current Microsoft Learn API documentation before live use.
Failure Trigger: The failure appears when revision activation, ingress configuration, target port, environment variables, and health probe does not match the workload execution path.
Operational Dependency: The workload depends on revision activation, ingress configuration, target port, environment variables, and health probe. If that dependency is wrong, a correct-looking architecture still fails.
How the Exam Asks It: Expect wording such as first step, best way to verify, least privilege, minimal change, troubleshoot, or which configuration resolves the symptom.
How Distractors Are Designed: Wrong answers are often useful actions in the wrong order: rebuilds before state checks, scaling before backlog evidence, broader permissions before identity proof, or prompt tuning before retrieval evidence.
Why the Correct Answer Works: The right answer proves the next required condition in the workflow: revision activation, ingress configuration, target port, environment variables, and health probe. It narrows the problem instead of making a broad platform change.
Practice Question: After a configuration change, the AI workflow starts failing because the container app exists but user traffic reaches an inactive or unhealthy revision. Which action should the developer take first?
A. validate revision health, traffic weight, ingress settings, and target port before rebuilding the image.
B. Rebuild and push the container image with a new tag.
C. Increase max replicas for the container app.
D. Assign AcrPull to the container app identity.
Correct Answer: A
Explanation: A is correct because it checks the dependency that controls this workflow: revision activation, ingress configuration, target port, environment variables, and health probe. B, C, and D are not random mistakes; each could help in a different incident. In this scenario they are weaker because they act before the evidence from container app revision has confirmed the actual failing link.
Atomic Deconstruction - Operational Level
A Container Apps revision is an immutable snapshot of image, environment variables, ingress, probes, scale rules, and traffic assignment. Updating the template creates a new revision rather than quietly mutating the old runtime.
A container app can exist while the new revision is unhealthy or receives zero traffic. For troubleshooting, revision health and traffic weight are more useful than simply proving the app resource exists.
Study this as a runtime story rather than a service definition. The app points at container app revision, Azure evaluates revision activation, ingress configuration, target port, environment variables, and health probe, and the result shows up as a status, log, metric, or response.
Once the object and access path are clear, the rest of the evidence has a place to attach: logs explain the call, metrics show pressure, and responses classify the failure.
Component Specifications
| Object | Attribute | Value Range | Default State | Dependency | Failure State |
|---|---|---|---|---|---|
| Revision | Template snapshot | Active, inactive, failed, traffic-weighted | Created from deployment template | Image, env vars, probes, ingress, scale | New deployment exists but receives no traffic |
| Traffic split | User routing | 0-100 percent per revision | Often remains on prior revision | Active revision and ingress | Users continue hitting older behavior |
| Hosting configuration | Ingress, traffic weight, replica bounds, or VNet setting | Enabled, disabled, internal, external, 0-100 traffic | Platform default unless explicit | Container app environment and revision template | Healthy resource still fails user traffic or dependency calls |
| Pull and network access | AcrPull, DNS, firewall, private endpoint, subnet route | Role assignment and route dependent | No proof until runtime access is tested | Managed identity and environment networking | Image pull failure, timeout, or endpoint resolution failure |
| Operational evidence | Revision state, log stream, queue metric, DNS test, or traffic split | Service-specific status output | Sparse until checked | Azure CLI, portal status, and diagnostics | Troubleshooting changes code without proving platform state |
Step-by-Step Execution Path
Start from the symptom and write the object name the application is actually using. For this topic, that object is container app revision; find it in configuration, deployment output, SDK client construction, message metadata, or the Azure portal resource blade.
Validate the Azure-side state. Command type: official Azure CLI verification pattern.
az containerapp revision list --name ai-api --resource-group rg-ai200 --query "[].{name:name,active:properties.active,traffic:properties.trafficWeight,health:properties.healthState}"
Command note: This command is written as an official Azure CLI verification pattern. Confirm installed extension versions and optional JMESPath fields in the active lab environment.
Expected checkpoint: the output shows the intended container app revision and the service-specific attributes connected to revision activation, ingress configuration, target port, environment variables, and health probe.
- Validate the service behavior from the request side. Command type: REST/API rehearsal; confirm the active API version and authorization method before production use.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/rg-ai200/providers/Microsoft.App/containerApps/ai-api/revisions?api-version=2024-03-01
Authorization: Bearer <access-token>
Content-Type: application/json
Expected checkpoint: the status code and body distinguish name mismatch, authorization failure, request schema failure, throttling, and service-side processing errors.
Check the evidence source that belongs to this service: revision status for Container Apps, indexer status for AI Search, request charge for Cosmos DB, queue counts for Service Bus, delivery metrics for Event Grid, or operation-id telemetry for Application Insights.
Change only the broken dependency and repeat the same observation. The original failure should disappear because the inspected state changed, not because unrelated configuration drift masked the symptom.
Technical Chain
The execution chain is concrete: configuration selects container app revision, identity or key proves access, networking reaches the endpoint, and the service validates the request against its current state.
When revision activation, ingress configuration, target port, environment variables, and health probe is wrong, the failure often appears one layer later as a timeout, 401/403, 404, 400, stale result, retry storm, or generic application exception. The exam answer is strongest when it names the earliest observable link and uses that evidence to decide the next action.
Operational Skills Matrix
| Task | Precise Command or Path | Verification Standard |
|---|---|---|
| Inspect container app revision | Run the Step 2 Azure CLI verification command | Output exposes the service state related to revision activation, ingress configuration, target port, environment variables, and health probe |
| Confirm service/API behavior | Run the Step 3 REST/API rehearsal request | Response code and body distinguish endpoint, authorization, object, and request-shape failures |
| Check authorization scope | az role assignment list --assignee <principalId> --all --query "[].{role:roleDefinitionName,scope:scope}" |
Role scope is narrow enough and sufficient for the runtime path |
| Find application evidence | Application Insights > Transaction search > filter by operation id | Telemetry shows whether the dependency call happened and how it ended |
| Re-test original symptom | Repeat the original user action, queue message, event delivery, or API call | The same observable failure is gone after the targeted correction |
Scale Containerized AI Workers on Azure
Microscopic technical focus: Replica limits, queue-driven scaling signals, concurrency, and cold-start impact on AI jobs
Exam Radar
Core Priority: This topic belongs to "Develop containerized solutions on Azure" and focuses on the working object behind the service name: scale rule.
High Frequency: This topic often appears as a small production incident: queued AI jobs age even though the worker application is deployed. The useful option is the one that proves the next dependency in the chain.
Confusion Alert: Resource existence does not prove runtime success. The exam often describes a deployed service while min replicas, max replicas, scaler metadata, queue length, and worker concurrency is still wrong for the path the application actually uses.
Scenario Logic: Read the stem as a chain: caller, configuration, credential, endpoint, service object, response, and telemetry. The useful clue is the first link where the chain can be observed.
Version Delta: AI-200 is beta. Stable Azure CLI patterns are included where useful; REST examples are rehearsal patterns and should be checked against current Microsoft Learn API documentation before live use.
Failure Trigger: The failure appears when min replicas, max replicas, scaler metadata, queue length, and worker concurrency does not match the workload execution path.
Operational Dependency: The workload depends on min replicas, max replicas, scaler metadata, queue length, and worker concurrency. If that dependency is wrong, a correct-looking architecture still fails.
How the Exam Asks It: Expect wording such as first step, best way to verify, least privilege, minimal change, troubleshoot, or which configuration resolves the symptom.
How Distractors Are Designed: Wrong answers are often useful actions in the wrong order: rebuilds before state checks, scaling before backlog evidence, broader permissions before identity proof, or prompt tuning before retrieval evidence.
Why the Correct Answer Works: The right answer proves the next required condition in the workflow: min replicas, max replicas, scaler metadata, queue length, and worker concurrency. It narrows the problem instead of making a broad platform change.
Practice Question: A team is preparing an Azure AI workload and finds that queued AI jobs age even though the worker application is deployed. Which action should the developer take first?
A. inspect the scale rule and queue metric before raising model quota or changing message format.
B. Increase max replicas before confirming the scaler can read the queue metric.
C. Raise the queue lock duration before checking whether the scale rule is firing.
D. Add another worker container revision without inspecting active message count.
Correct Answer: A
Explanation: A is correct because it checks the dependency that controls this workflow: min replicas, max replicas, scaler metadata, queue length, and worker concurrency. B, C, and D are not random mistakes; each could help in a different incident. In this scenario they are weaker because they act before the evidence from scale rule has confirmed the actual failing link.
Atomic Deconstruction - Operational Level
A scale rule connects a workload signal to replica count. For AI workers, that signal may be queue depth, HTTP concurrency, CPU, or a custom scaler, but it must represent real pending work.
More replicas do not automatically fix AI throughput. Model throttling, queue lock duration, worker concurrency, and cold start decide whether scale-out helps or just creates more failed attempts.
The compact mental model is: selected object, access path, accepted request, observable result. For this topic, all four revolve around scale rule.
The exam skill is choosing the first useful observation. A fix that happens before that observation is usually only a guess.
Component Specifications
| Object | Attribute | Value Range | Default State | Dependency | Failure State |
|---|---|---|---|---|---|
| Scaler metadata | Trigger configuration | Queue name, namespace, threshold, auth | No workload-aware scaling without rule | Metric source and permission | Backlog grows while replica count stays flat |
| Worker concurrency | Parallel jobs per replica | Single, batched, or configured concurrency | Defined by worker code | Lock duration and model latency | Duplicate work or lock expiration |
| Hosting configuration | Ingress, traffic weight, replica bounds, or VNet setting | Enabled, disabled, internal, external, 0-100 traffic | Platform default unless explicit | Container app environment and revision template | Healthy resource still fails user traffic or dependency calls |
| Pull and network access | AcrPull, DNS, firewall, private endpoint, subnet route | Role assignment and route dependent | No proof until runtime access is tested | Managed identity and environment networking | Image pull failure, timeout, or endpoint resolution failure |
| Operational evidence | Revision state, log stream, queue metric, DNS test, or traffic split | Service-specific status output | Sparse until checked | Azure CLI, portal status, and diagnostics | Troubleshooting changes code without proving platform state |
Step-by-Step Execution Path
Start from the symptom and write the object name the application is actually using. For this topic, that object is scale rule; find it in configuration, deployment output, SDK client construction, message metadata, or the Azure portal resource blade.
Validate the Azure-side state. Command type: official Azure CLI verification pattern.
az containerapp show --name ai-worker --resource-group rg-ai200 --query "properties.template.scale"
Command note: This command is written as an official Azure CLI verification pattern. Confirm installed extension versions and optional JMESPath fields in the active lab environment.
Expected checkpoint: the output shows the intended scale rule and the service-specific attributes connected to min replicas, max replicas, scaler metadata, queue length, and worker concurrency.
- Validate the service behavior from the request side. Command type: REST/API rehearsal; confirm the active API version and authorization method before production use.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/rg-ai200/providers/Microsoft.App/containerApps/ai-worker?api-version=2024-03-01
Authorization: Bearer <access-token>
Content-Type: application/json
Expected checkpoint: the status code and body distinguish name mismatch, authorization failure, request schema failure, throttling, and service-side processing errors.
Check the evidence source that belongs to this service: revision status for Container Apps, indexer status for AI Search, request charge for Cosmos DB, queue counts for Service Bus, delivery metrics for Event Grid, or operation-id telemetry for Application Insights.
Change only the broken dependency and repeat the same observation. The original failure should disappear because the inspected state changed, not because unrelated configuration drift masked the symptom.
Technical Chain
A user-visible result is the last link in the chain. Before that, Azure Container Apps scale rules has already evaluated the target object, the credential, the route, and the request contract.
When min replicas, max replicas, scaler metadata, queue length, and worker concurrency is wrong, the failure often appears one layer later as a timeout, 401/403, 404, 400, stale result, retry storm, or generic application exception. The exam answer is strongest when it names the earliest observable link and uses that evidence to decide the next action.
Operational Skills Matrix
| Task | Precise Command or Path | Verification Standard |
|---|---|---|
| Inspect scale rule | Run the Step 2 Azure CLI verification command | Output exposes the service state related to min replicas, max replicas, scaler metadata, queue length, and worker concurrency |
| Confirm service/API behavior | Run the Step 3 REST/API rehearsal request | Response code and body distinguish endpoint, authorization, object, and request-shape failures |
| Check authorization scope | az role assignment list --assignee <principalId> --all --query "[].{role:roleDefinitionName,scope:scope}" |
Role scope is narrow enough and sufficient for the runtime path |
| Find application evidence | Application Insights > Transaction search > filter by operation id | Telemetry shows whether the dependency call happened and how it ended |
| Re-test original symptom | Repeat the original user action, queue message, event delivery, or API call | The same observable failure is gone after the targeted correction |
Validate Container App Networking for AI Dependencies
Microscopic technical focus: VNet integration, outbound reachability, DNS resolution, private endpoint access, and dependency timeout isolation
Exam Radar
Core Priority: This topic belongs to "Develop containerized solutions on Azure" and focuses on the working object behind the service name: outbound dependency path.
High Frequency: Expect scenarios where the AI API times out only when calling private Azure services from the container runtime. The best answer follows the failing runtime object, not the most visible Azure resource.
Confusion Alert: Resource existence does not prove runtime success. The exam often describes a deployed service while VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint is still wrong for the path the application actually uses.
Scenario Logic: Read the stem as a chain: caller, configuration, credential, endpoint, service object, response, and telemetry. The useful clue is the first link where the chain can be observed.
Version Delta: AI-200 is beta. Stable Azure CLI patterns are included where useful; REST examples are rehearsal patterns and should be checked against current Microsoft Learn API documentation before live use.
Failure Trigger: The failure appears when VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint does not match the workload execution path.
Operational Dependency: The workload depends on VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint. If that dependency is wrong, a correct-looking architecture still fails.
How the Exam Asks It: Expect wording such as first step, best way to verify, least privilege, minimal change, troubleshoot, or which configuration resolves the symptom.
How Distractors Are Designed: Wrong answers are often useful actions in the wrong order: rebuilds before state checks, scaling before backlog evidence, broader permissions before identity proof, or prompt tuning before retrieval evidence.
Why the Correct Answer Works: The right answer proves the next required condition in the workflow: VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint. It narrows the problem instead of making a broad platform change.
Practice Question: During production troubleshooting, the application shows this symptom: the AI API times out only when calling private Azure services from the container runtime. Which action should the developer take first?
A. validate DNS and outbound reachability from inside the container environment before modifying application code.
B. Grant the app broader RBAC permissions to the target service.
C. Increase the request timeout in the AI API code.
D. Restart the container app environment and retest without checking DNS resolution.
Correct Answer: A
Explanation: A is correct because it checks the dependency that controls this workflow: VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint. B, C, and D are not random mistakes; each could help in a different incident. In this scenario they are weaker because they act before the evidence from outbound dependency path has confirmed the actual failing link.
Atomic Deconstruction - Operational Level
Container networking decides whether the running workload can resolve and reach private Azure services. Private endpoint success depends on DNS, routes, firewall rules, and VNet integration, not only on the target service being healthy.
Read the symptom carefully: timeouts often point to name resolution, routing, firewall, or private endpoint problems, while 401 and 403 usually point to identity or permission.
For hands-on study, begin with outbound dependency path: how it is named, how the app reaches it, and which field or status proves it is usable.
That order prevents cargo-cult troubleshooting. The command matters because it explains the symptom, not because it is a line to memorize.
Component Specifications
| Object | Attribute | Value Range | Default State | Dependency | Failure State |
|---|---|---|---|---|---|
| Private DNS resolution | Name-to-address mapping | Private zone record or public endpoint | Depends on VNet links | Private endpoint and subnet DNS | Container times out or reaches public endpoint unintentionally |
| Outbound route | Runtime egress path | VNet route, firewall, NAT, service endpoint | Platform-dependent | Subnet and firewall policy | Service calls fail while local tests pass |
| Hosting configuration | Ingress, traffic weight, replica bounds, or VNet setting | Enabled, disabled, internal, external, 0-100 traffic | Platform default unless explicit | Container app environment and revision template | Healthy resource still fails user traffic or dependency calls |
| Pull and network access | AcrPull, DNS, firewall, private endpoint, subnet route | Role assignment and route dependent | No proof until runtime access is tested | Managed identity and environment networking | Image pull failure, timeout, or endpoint resolution failure |
| Operational evidence | Revision state, log stream, queue metric, DNS test, or traffic split | Service-specific status output | Sparse until checked | Azure CLI, portal status, and diagnostics | Troubleshooting changes code without proving platform state |
Step-by-Step Execution Path
Start from the symptom and write the object name the application is actually using. For this topic, that object is outbound dependency path; find it in configuration, deployment output, SDK client construction, message metadata, or the Azure portal resource blade.
Validate the Azure-side state. Command type: official Azure CLI verification pattern.
az containerapp exec --name ai-api --resource-group rg-ai200 --command "nslookup ai200-kv.vault.azure.net"
Command note: This command is written as an official Azure CLI verification pattern. Confirm installed extension versions and optional JMESPath fields in the active lab environment.
Expected checkpoint: the output shows the intended outbound dependency path and the service-specific attributes connected to VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint.
- Validate the service behavior from the request side. Command type: REST/API rehearsal; confirm the active API version and authorization method before production use.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/rg-ai200/providers/Microsoft.App/managedEnvironments/ai200-env?api-version=2024-03-01
Authorization: Bearer <access-token>
Content-Type: application/json
Expected checkpoint: the status code and body distinguish name mismatch, authorization failure, request schema failure, throttling, and service-side processing errors.
Check the evidence source that belongs to this service: revision status for Container Apps, indexer status for AI Search, request charge for Cosmos DB, queue counts for Service Bus, delivery metrics for Event Grid, or operation-id telemetry for Application Insights.
Change only the broken dependency and repeat the same observation. The original failure should disappear because the inspected state changed, not because unrelated configuration drift masked the symptom.
Technical Chain
The workload reaches Azure Container Apps networking by reading configuration, choosing credentials, resolving the endpoint, and sending a request to outbound dependency path. The service then checks authorization, object state, and request shape before it returns data or rejects the operation.
When VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint is wrong, the failure often appears one layer later as a timeout, 401/403, 404, 400, stale result, retry storm, or generic application exception. The exam answer is strongest when it names the earliest observable link and uses that evidence to decide the next action.
Operational Skills Matrix
| Task | Precise Command or Path | Verification Standard |
|---|---|---|
| Inspect outbound dependency path | Run the Step 2 Azure CLI verification command | Output exposes the service state related to VNet configuration, private DNS zone, firewall rule, subnet route, and outbound endpoint |
| Confirm service/API behavior | Run the Step 3 REST/API rehearsal request | Response code and body distinguish endpoint, authorization, object, and request-shape failures |
| Check authorization scope | az role assignment list --assignee <principalId> --all --query "[].{role:roleDefinitionName,scope:scope}" |
Role scope is narrow enough and sufficient for the runtime path |
| Find application evidence | Application Insights > Transaction search > filter by operation id | Telemetry shows whether the dependency call happened and how it ended |
| Re-test original symptom | Repeat the original user action, queue message, event delivery, or API call | The same observable failure is gone after the targeted correction |
Frequently Asked Questions
What should be verified first when an Azure Container Apps-hosted AI API builds successfully but never becomes reachable after deployment?
Verify the container startup command, listening port, target port, and revision logs before changing scaling or ingress settings.
A successful image build only proves that the image was created; it does not prove that the process starts correctly in Azure. For an AI API, the container must bind to the expected address and port, the Container App target port must match, and the active revision must show a healthy runtime state. Exam scenarios often describe a healthy-looking resource while the actual failure is the process command, missing dependency, or wrong port inside the container.
Demand Score: 91
Exam Relevance Score: 96
How should a developer confirm that a container app is running the intended Azure AI API image version?
Compare the active revision image reference with the ACR tag and digest that was produced by the build pipeline.
Tags can be reused, but digests identify the immutable image content. If the application behavior does not match the expected code, the safest first step is to prove which image the active revision actually pulled. This avoids unnecessary code changes when the deployment is still using an older tag, a different repository path, or a digest that does not match the intended build.
Demand Score: 88
Exam Relevance Score: 95
What identity configuration is usually required for Azure Container Apps to pull a private image from Azure Container Registry?
Grant the container app's managed identity the AcrPull role on the registry or the appropriate registry scope.
Private image pulls require both a valid image reference and authorization to read the image layers. Managed identity avoids storing registry passwords in deployment configuration and supports least-privilege access. In exam troubleshooting, an image pull failure should lead to checking the image reference, the assigned identity, the AcrPull role scope, and any registry networking restrictions.
Demand Score: 90
Exam Relevance Score: 96
When should an AI worker hosted in Azure Container Apps scale out?
Scale out when workload evidence such as queue depth, concurrent request pressure, or processing latency shows that one or more replicas cannot keep up.
Containerized AI workers are commonly driven by HTTP traffic, queues, or event-driven pipelines. Replica limits and scale rules should be tied to observable demand rather than guessed capacity. For exam scenarios, the best answer usually checks the metric that represents the backlog or request pressure before increasing replica counts or changing compute size.
Demand Score: 86
Exam Relevance Score: 93
What should be checked when a containerized AI API can start but cannot reach Azure AI Search, Azure OpenAI, or another dependency?
Check environment variables, DNS resolution, outbound network rules, private endpoint configuration, and the identity used for the dependency call.
Runtime reachability is separate from container health. A container can be healthy while dependency calls fail because the endpoint URL is wrong, the environment is locked behind a VNet, DNS does not resolve the private endpoint, or the managed identity lacks permission. AI-200 scenarios often reward following the caller-to-dependency chain instead of redeploying the container blindly.
Demand Score: 89
Exam Relevance Score: 94
