Compute (VM, Container Apps, AKS) — when to use what
Azure offers many ways to run code. In practice the choice comes down to three options: VM (full control), Container Apps (serverless for containers) and AKS (managed Kubernetes). Picking the right layer is a trade-off between control and operational cost.
Virtual Machines (IaaS)
A classic virtual machine — a full operating system, full control, full responsibility (patching, hardening, scaling). Choose a VM when:
- you have a legacy application that is not containerized,
- you need a specific OS, GPU drivers or control over the kernel,
- you are doing a "lift-and-shift" migration from on-premise.
az vm create \
--resource-group rg-zeus-app --name vm-legacy01 \
--image Ubuntu2204 --size Standard_D2s_v5 \
--admin-username azureadmin --generate-ssh-keys \
--public-ip-address "" # bez publicznego IP — dostęp przez Bastion
Tip: for many identical VMs, use Virtual Machine Scale Sets (VMSS) — autoscaling and rolling upgrades out of the box.
Azure Container Apps (serverless)
Container Apps runs containers without managing a cluster. It scales from zero (scale-to-zero), has built-in ingress, revisions and KEDA for event-driven scaling. This is the best choice for microservices and APIs when you do not want to operate Kubernetes.
az containerapp create \
--resource-group rg-zeus-app --name ca-api \
--environment cae-zeus \
--image ghcr.io/professnet/zeus-api:1.4.0 \
--target-port 8080 --ingress external \
--min-replicas 0 --max-replicas 10
Azure Kubernetes Service (AKS)
AKS is managed Kubernetes — Azure runs the control plane, you manage the nodes and workloads. Choose AKS when:
- you have multiple teams and complex deployments (Helm, operators, service mesh),
- you need the full Kubernetes ecosystem (CRDs, GitOps, namespaces),
- you already have k8s competencies on the team.
az aks create \
--resource-group rg-zeus-app --name aks-zeus \
--node-count 3 --enable-managed-identity \
--network-plugin azure --generate-ssh-keys
az aks get-credentials --resource-group rg-zeus-app --name aks-zeus
Decision matrix
| Criterion | VM | Container Apps | AKS |
|---|---|---|---|
| Control over the OS | full | none | partial (nodes) |
| Operational cost | high | low | medium/high |
| Scale-to-zero | no | yes | no (by default) |
| Learning curve | low | low | high |
| Best for | legacy, GPU | APIs, microservices | platforms, mesh |
How ZEUS sees it
ZEUS inventories all of these resources through Resource Graph and ARM. For VMs it checks, among other things, public IPs, disk encryption status and patch level (via Defender for Cloud). For AKS it reads the cluster version, RBAC configuration and whether policy controls are enabled. ZEUS's container scanners also analyze images for CVE vulnerabilities — independently of the compute layer.
In the next lesson: storage and databases — Blob, Files, Azure SQL and PostgreSQL.