# Az - Container Instances {{#include ../../../banners/hacktricks-training.md}} ## Basic Information Azure Container Instances (ACI) provide a **serverless, on-demand way** to run **containers** in the Azure cloud. You can **deploy** single or multiple containers in a group with **scalable compute**, **networking options**, and the flexibility to connect to **other Azure services** (like Storage, Virtual Networks, or Container Registries). As they are **ephemeral** workloads, you don't need to manage the underlying VM infrastructure — Azure handles that for you. However, from an **offensive security perspective**, it's crucial to understand how **permissions**, **identities**, **network configurations**, and **logs** can reveal attack surfaces and potential misconfigurations. ### Configurations - In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it. - Regarding networking it can also have a **public IP** or be **private endpoints**. - It's also possible to configure common docker settings like: - **Environment variables** - **Volumes** (even from Azure Files) - **Ports** - **CPU and memory limits** - **Restart policy** - **Run as privileged** - **Command line to run** - ... ## Enumeration > [!WARNING] > When enumerating ACI, you can reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. Be cautious with logging or displaying them. ```bash # List all container instances in the subscription az container list # Show detailed information about a specific container instance az container show --name --resource-group # Fetch logs from a container az container logs --name --resource-group # Execute a command in a running container and get the output az container exec --name --resource-group --exec-command "ls" # Get yaml configuration of the container group az container export --name --resource-group ```