Skip to content

Azure Container Instances Worker Guide

Why use ACI for flow run execution?

ACI (Azure Container Instances) is a fully managed compute platform that streamlines running your Prefect flows on scalable, on-demand infrastructure on Azure.

Prerequisites

Before starting this guide, make sure you have:

  • An Azure account and user permissions for provisioning resource groups and container instances.
  • The azure CLI installed on your local machine. You can follow Microsoft's installation guide.
  • Docker installed on your local machine.

Step 1. Create a resource group

Azure resource groups serve as containers for managing groupings of Azure resources.

Replace <resource-group-name> with the name of your choosing, and <location> with a valid Azure location name, such aseastus.

export RG_NAME=<resource-group-name> && \
az group create --name $RG_NAME --location <location>

Throughout the rest of the guide, we'll need to refer to the scope of the created resource group, which is a string describing where the resource group lives in the hierarchy of your Azure account. To save the scope of your resource group as an environment variable, run the following command:

RG_SCOPE=$(az group show --name $RG_NAME --query id --output tsv)

You can check that the scope is correct before moving on by running echo $RG_SCOPE in your terminal. It should be formatted as follows:

/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>

Step 2. Prepare ACI permissions

In order for the worker to create, monitor, and delete the other container instances in which flows will run, we'll need to create a custom role and an identity, and then affiliate that role to the identity with a role assignment. When we start our worker, we'll assign that identity to the container instance it's running in.

1. Create a role

The custom Container Instances Contributor role has all the permissions your worker will need to run flows in other container instances. Create it by running the following command:

az role definition create --role-definition '{
  "Name": "Container Instances Contributor",
  "IsCustom": true,
  "Description": "Can create, delete, and monitor container instances.",
  "Actions": [
    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
    "Microsoft.Resources/deployments/*",
    "Microsoft.ContainerInstance/containerGroups/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    '"\"$RG_SCOPE\""'
  ]
}'

2. Create an identity

Create a user-managed identity with the following command, replacing <identity-name> with the name you'd like to use for the identity:

export IDENTITY_NAME=<identity_name> && \
az identity create -g $RG_NAME -n $IDENTITY_NAME

We'll also need to save the principal ID and full object ID of the identity for the role assignment and container creation steps, respectively:

IDENTITY_PRINCIPAL_ID=$(az identity list --query "[?name=='$IDENTITY_NAME'].principalId" --output tsv) && \
IDENTITY_ID=$(az identity list --query "[?name=='$IDENTITY_NAME'].id" --output tsv)

3. Assign roles to the identity

Now let's assign the Container Instances Contributor role we created earlier to the new identity:

az role assignment create \
    --assignee $IDENTITY_PRINCIPAL_ID \
    --role "Container Instances Contributor" \
    --scope $RG_SCOPE

Since we'll be using ACR to host a custom Docker image containing a Prefect flow later in the guide, let's also assign the built in AcrPull role to the identity:

az role assignment create \
    --assignee $IDENTITY_PRINCIPAL_ID \
    --role "AcrPull" \
    --scope $RG_SCOPE

Step 3. Create the worker container instance

Before running this command, set your PREFECT_API_URL and PREFECT_API_KEY as environment variables:

export PREFECT_API_URL=<PREFECT_API_URL_HERE> PREFECT_API_KEY=<PREFECT_API_KEY_HERE>

Running the following command will create a container instance in your Azure resource group that will start a Prefect ACI worker. If there is not already a work pool in Prefect with the name you chose, a work pool will also be created.

Replace <work-pool-name> with the name of the ACI work pool you want to create in Prefect. Here we're using the work pool name as the name of the container instance in Azure as well, but you may name it something else if you prefer.

az container create \
    --name <work-pool-name> \
    --resource-group $RG_NAME \
    --assign-identity $IDENTITY_ID \
    --image "prefecthq/prefect:2-python3.11" \
    --secure-environment-variables PREFECT_API_URL=$PREFECT_API_URL PREFECT_API_KEY=$PREFECT_API_KEY \
    --command-line "/bin/bash -c 'pip install prefect-azure && prefect worker start --pool <work-pool-name> --type azure-container-instance'" 

This container instance uses default networking and security settings. For advanced configuration, refer the az container create CLI reference.

Step 4. Create an ACR registry

In order to build and push images containing flow code to Azure, we'll need a container registry. Create one with the following command, replacing <registry-name> with the registry name of your choosing:

export REGISTRY_NAME=<registry-name> && \
az acr create --resource-group $RG_NAME \
  --name <registry-name> --sku Basic

Step 5. Update your ACI work pool configuration

Once your work pool is created, navigate to the Edit page of your ACI work pool. You will need to update the following fields:

Identities

This will be your IDENTITY_ID. You can get it from your terminal by running echo $IDENTITY_ID. When adding it to your work pool, it should be formatted as a JSON array:

["/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>"]

Configuring an ACI work pool's identities.

ACRManagedIdentity

ACRManagedIdentity is required for your flow code containers to be pulled from ACR. It consists of the following:

  • Identity: the same IDENTITY_ID as above, as a string
    /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>
    
  • Registry URL: your <registry-name>, followed by .azurecr.io
    <registry-name>.azurecr.io
    

Configuring an ACI work pool's ACR Managed Identity.

Subscription ID and resource group name

Both the subscription ID and resource group name can be found in in the RG_SCOPE environment variable created earlier in the guide. View their values by running echo $RG_SCOPE:

/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>

Configuring an ACI work pool.

Then click Save.

Step 6. Pick up a flow run with your new worker

This guide uses ACR to store a Docker image containing your flow code. Write a flow, then deploy it using flow.deploy(), which will copy flow code into a Docker image and push that image to an ACR registry.

1. Log in to ACR

Use the following commands to log in to ACR:

TOKEN=$(az acr login --name $REGISTRY_NAME --expose-token --output tsv --query accessToken)
docker login $REGISTRY_NAME.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password-stdin <<< $TOKEN

2. Write and deploy a simple test flow

Create and run the following script to deploy your flow. Be sure to replace <registry-name> and <work-pool-name> with the appropriate values.

my_flow.py

from prefect import flow, get_run_logger
from prefect.deployments import DeploymentImage

@flow
def my_flow():
    logger = get_run_logger()
    logger.info("Hello from ACI!")

if __name__ == "__main__":
    my_flow.deploy(
        name="aci-deployment",
        image=DeploymentImage(
            name="<registry-name>.azurecr.io/example:latest",
            platform="linux/amd64",
        ),
        work_pool_name="<work-pool-name>",
    )

3. Find the deployment in the UI and click the Quick Run button!