Deployment Implementations: Containers, Scripts & Databases

From Strategy to Implementation

Simple explanation

Think of recipes vs actual cooking.

The previous module was the recipe book — “use blue-green deployment, apply canary strategy.” This module is the actual cooking — “here is how you build the Docker image, push it to the registry, and deploy the container. Here is how you run the database migration without breaking the live app.”

Knowing the strategy is half the battle. Implementing it correctly — with the right pipeline tasks, deployment methods, and database safety patterns — is where exam questions get specific.

Container Deployment Pipeline

The standard container deployment pipeline follows a build-push-deploy pattern:

Build and Push to ACR

# Azure Pipelines
- task: Docker@2
  inputs:
    containerRegistry: 'myACRConnection'
    repository: 'claims-api'
    command: 'buildAndPush'
    Dockerfile: '**/Dockerfile'
    tags: |
      $(Build.BuildId)
      latest

Best practices:

Tag images with the build ID (immutable) AND latest (convenience)
Use multi-stage Dockerfiles — build stage with SDK, runtime stage with minimal image
Scan images before pushing — use Microsoft Defender for Containers or Trivy
Never store secrets in Docker images — use environment variables or Azure Key Vault references at runtime

Deploy to Azure Container Instances (ACI)

For simple container workloads without orchestration:

- task: AzureCLI@2
  inputs:
    azureSubscription: 'MyAzureConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az container create \
        --resource-group myRG \
        --name claims-api \
        --image myacr.azurecr.io/claims-api:$(Build.BuildId) \
        --registry-login-server myacr.azurecr.io \
        --registry-username $(acrUser) \
        --registry-password $(acrPassword)

Deploy to AKS

For production orchestrated workloads, use the KubernetesManifest task:

- task: KubernetesManifest@1
  inputs:
    action: 'deploy'
    connectionType: 'azureResourceManager'
    azureSubscriptionConnection: 'MyAzureConnection'
    azureResourceGroup: 'myRG'
    kubernetesCluster: 'myAKS'
    manifests: '$(Pipeline.Workspace)/manifests/deployment.yaml'
    containers: 'myacr.azurecr.io/claims-api:$(Build.BuildId)'

Question

What is the Docker@2 task and what does the 'buildAndPush' command do?

Click or press Enter to reveal answer

Answer

Docker@2 is an Azure Pipelines task for Docker operations. The 'buildAndPush' command combines docker build and docker push into a single step — it builds the image from the Dockerfile and pushes it to the specified container registry (typically ACR) with the configured tags. It handles registry authentication automatically via the service connection.

Click to flip back

Binary and Script Deployments

Not every deployment uses containers. Azure App Service supports multiple deployment methods:

ZIP Deploy and Run From Package are the modern recommended approaches
Method	How It Works	Best For	Pipeline Task
ZIP Deploy	Upload ZIP package via Kudu API	Most App Service deployments	AzureWebApp@1 with package input
Web Deploy (MSDeploy)	IIS-level deployment with transforms	Legacy .NET Framework apps	AzureRmWebAppDeployment@4
Run From Package	App runs directly from ZIP (read-only wwwroot)	Fastest cold start, immutable deploys	WEBSITE_RUN_FROM_PACKAGE = 1
Azure CLI	Script-based deployment via az webapp deploy	Custom deployment logic	AzureCLI@2
FTP	File-level upload to wwwroot	Avoid — slow, no atomic deploy	Not recommended for CI/CD
GitHub Actions Deploy	azure/webapps-deploy action	GitHub-hosted workflows	azure/webapps-deploy@v3

Question

What is Run From Package and why is it recommended for production?

Click or press Enter to reveal answer

Answer

Run From Package mounts the deployment ZIP as a read-only file system for wwwroot. Benefits: fastest cold start (no file copy on startup), immutable deployment (files cannot be modified at runtime), atomic deployment (the entire package swaps at once), and reduced storage lock issues. Enable it by setting WEBSITE_RUN_FROM_PACKAGE = 1 as an app setting.

Click to flip back

Scenario: Kai deploys containers with image scanning

🚀 Kai’s pipeline at Launchpad Labs:

Build — multi-stage Dockerfile (SDK for build, Alpine for runtime)
Scan — Trivy scans the image for CVEs. Pipeline fails on HIGH/CRITICAL findings
Push — Docker@2 pushes to their ACR with build ID tag
Deploy to staging — KubernetesManifest@1 updates the staging namespace
Integration tests — run against staging endpoints
Deploy to production — KubernetesManifest@1 with canary strategy (20% traffic)
Monitor and promote — if Datadog shows no error spike after 15 minutes, promote to 100%

Riku adds a Dockerfile linting step using hadolint early in the pipeline to catch anti-patterns (running as root, missing HEALTHCHECK, not pinning base image versions).

Database Deployment Tasks

Database deployments are the most dangerous part of any release. A bad migration can corrupt data, cause downtime, or be impossible to roll back. The exam tests your knowledge of safe database deployment patterns.

Migration Approaches

Approach	Tool	How It Works	Rollback
Code-first migrations	EF Core, Django, Rails	Generate migration files from model changes	Run `migrate down` or apply reverse migration
State-based (dacpac)	SQL Server Data Tools (SSDT)	Compare desired schema to current, generate diff script	Limited — requires manual rollback scripts
Versioned scripts	Flyway, Liquibase, DbUp	Numbered SQL scripts run in order	Write corresponding rollback scripts
Idempotent scripts	Custom SQL	Scripts check before modifying (IF NOT EXISTS)	Each script is self-contained and re-runnable

The SqlAzureDacpacDeployment Task

For Azure SQL deployments in Azure Pipelines:

- task: SqlAzureDacpacDeployment@1
  inputs:
    azureSubscription: 'MyAzureConnection'
    AuthenticationType: 'servicePrincipal'
    ServerName: 'meridian-sql.database.windows.net'
    DatabaseName: 'ClaimsDB'
    deployType: 'DacpacTask'
    DeploymentAction: 'Publish'
    DacpacFile: '$(Pipeline.Workspace)/database/Claims.dacpac'

Safe Database Deployment Patterns

Always apply the expand-contract pattern for breaking changes:

Never rename a column directly — add new column, migrate data, update code, drop old column
Never remove a column that existing code reads — deploy code changes first, then contract
Add indexes as non-blocking (ONLINE = ON for SQL Server)
Use transactions for DML but be careful with DDL — some DDL auto-commits

Question

What is a dacpac and how does it differ from migration-based database deployment?

Click or press Enter to reveal answer

Answer

A dacpac (Data-tier Application Package) captures a desired database schema state. During deployment, it compares the desired state to the current database and generates a diff script. Unlike migration-based tools (EF Core, Flyway) that apply sequential versioned scripts, dacpac is state-based — it figures out what changes are needed automatically. Trade-off: dacpac can struggle with data motion (renaming columns) where migration scripts give you explicit control.

Click to flip back

Question

Why should you never delete a database column in the same deployment as the code change that stops using it?

Click or press Enter to reveal answer

Answer

During a rolling deployment (or any period where old and new code coexist), old instances still read from that column. Deleting the column while old code is running causes runtime errors for active users. Instead: deploy the new code first (expand phase), verify all instances are updated, THEN drop the column in a separate deployment (contract phase).

Click to flip back

Feature Flags with Azure App Configuration

Implementing feature flags with Azure App Configuration Feature Manager:

Setup

Create an Azure App Configuration resource
Add feature flags in the Feature Manager blade
Add the Microsoft.FeatureManagement NuGet package to your app
Connect your app to App Configuration using the connection string or managed identity

Configuration Filters

// In Program.cs
builder.Configuration.AddAzureAppConfiguration(options =>
    options.Connect(connectionString)
           .UseFeatureFlags());

builder.Services.AddFeatureManagement();

Percentage Filter (Gradual Rollout)

In the Azure portal or via CLI, configure a feature flag with a percentage filter:

NewCheckout — enabled for 10% of users
Increase to 25%, 50%, 100% as confidence grows
The SDK handles consistent user bucketing (same user always sees the same version)

Targeting Filter (User and Group Targeting)

Target specific users or groups:

Enable for kai@launchpadlabs.com (individual)
Enable for beta-testers group (group)
Default percentage for everyone else: 0%

Exam tip: Feature flags in pipelines

The exam may ask how to integrate feature flags into a deployment pipeline:

Pre-deployment: Pipeline creates/updates the feature flag in App Configuration (OFF by default)
Post-deployment: Pipeline enables the flag for a test group via the App Configuration REST API
Validation: Run tests against the feature-flagged path
Promotion: Increase percentage filter via pipeline task
Rollback: Set the flag to OFF via a single API call — no redeployment needed

Key distinction: Feature flags separate DEPLOYMENT from RELEASE. The code is deployed (available) but not released (visible to users) until the flag is enabled.

Knowledge Check

Kai needs to deploy a new microservice to AKS. The pipeline should build the Docker image, scan it for vulnerabilities, push it to ACR, and deploy to the cluster. Which sequence of Azure Pipelines tasks is correct?

Knowledge Check

Nadia needs to rename a column in the production SQL database from 'CustName' to 'CustomerFullName'. The Claims API reads this column. What is the safest approach?

Knowledge Check

Which Azure App Service deployment method provides the fastest cold start and ensures the deployment is immutable (files cannot be modified at runtime)?

🎬 Video coming soon

Container, Script and Database Deployments

Next up: Infrastructure as Code: ARM vs Bicep vs Terraform