FastAPI · Docker · ACR · Container Apps · Azure Monitor · Key Vault · GitHub Actions

Weather Tracker. A cloud-native Azure application with containers, monitoring, CI/CD, and secure secret management.

This project started as a local FastAPI weather application and evolved into a production-style Azure platform. It uses Docker, Azure Container Registry, Azure Container Apps, structured logging, Application Insights, Azure Monitor alerts, GitHub Actions CI/CD, and Azure Key Vault with managed identity.

Azure Container Apps Docker + ACR GitHub Actions CI/CD Application Insights Azure Monitor alerts Key Vault + managed identity

Engineering deep dive (real FastAPI, Docker, CLI, CI/CD) → Open live Weather Tracker → View GitHub repo

Runtime: Azure Container Apps Image source: Azure Container Registry Security: Key Vault + managed identity

Sections Overview Architecture Security Gallery Validation Tech stack Lessons

Architecture diagram for Weather Tracker Azure project

↗Open live Azure Container Apps URL

Cloud-native deployment path

Container Apps Azure Monitor Key Vault

Architecture snapshot Final project flow.

GitHub push → GitHub Actions → Docker build
→ Azure Container Registry → Azure Container Apps
→ FastAPI Weather App → WeatherAPI
→ Structured logs → Application Insights
→ Azure Monitor alert → Action Group email
→ Key Vault secret via managed identity

Overview

What this project demonstrates

This project demonstrates how a simple application can be engineered into a secure, observable, containerized Azure workload. The final architecture keeps the project focused: FastAPI Weather App → Structured Logging → Azure Monitor + Alerts → Docker → ACR → ACI validation → Azure Container Apps → GitHub Actions CI/CD → Azure Key Vault.

The engineering problem

Move beyond a local demo into a real Azure-hosted workload.

A local FastAPI app is not enough for a serious cloud portfolio. This build turns the application into a deployable service with runtime configuration, cloud monitoring, container packaging, automated deployment, and secret management.

Started with a local FastAPI weather app using WeatherAPI.
Deployed first to Azure App Service to prove cloud compute hosting.
Added Application Insights, structured logs, alerts, and email notifications.
Containerized the app and moved the production runtime to Azure Container Apps.

The finished outcome

A secure cloud-native application deployment path.

The final runtime uses Container Apps as the live platform, ACR as the image source, GitHub Actions for CI/CD, Azure Monitor for operational visibility, and Key Vault with managed identity for the WeatherAPI secret.

Develop Containerize Publish Deploy Monitor Secure

Security and operations

How the project was hardened and monitored

The project intentionally avoids being just a weather UI. The strongest parts are the operational and security layers.

Observability

Application Insights captures request telemetry from the FastAPI application.
Structured Python logs capture weather API calls, success events, latency, and errors.
KQL queries validate requests, traces, and failure events.
Azure Monitor scheduled query alert fires when weather API failures are logged.

Secret management

Weather API key stored in Azure Key Vault.
Container App uses a system-assigned managed identity.
Managed identity granted Key Vault Secrets User using Azure RBAC.
Container App references the Key Vault secret without code changes or plaintext application secrets.

Azure architecture

From local FastAPI to secure Container Apps deployment.

The final platform follows a realistic cloud delivery path: application code is committed to GitHub, GitHub Actions builds a Docker image, the image is pushed to ACR, and Azure Container Apps runs the container with managed ingress and Key Vault-backed configuration.

Build and deployment flow

1
FastAPI weather app
Python 3.12 + Jinja + SQLite
The app searches weather, renders forecast data, stores favourite cities, and exposes a health endpoint.
2
Docker container
Gunicorn + Uvicorn workers
The application is packaged into a portable runtime using a production-style Dockerfile.
3
Azure Container Registry
Private container image storage
The image is tagged and pushed to ACR, then updated through GitHub Actions.
4
ACI validation
Temporary cloud container test
Azure Container Instances validates the image before the production runtime.
5
Azure Container Apps
Production-style container hosting
Container Apps exposes the service over HTTPS, supports scale-to-zero, and runs the final workload.

Operations and security flow

1
Application Insights telemetry
Requests and application behaviour are collected for cloud diagnostics.
2
Structured logs
Weather API events are logged with JSON context including city, status code, and latency.
3
Azure Monitor alerts
KQL-based scheduled query alert detects Weather API HTTP errors.
4
Action Group email
Alert events notify the operator through email.
5
Key Vault secret reference
The Container App reads the WeatherAPI key from Key Vault using managed identity.

Screenshot gallery

Evidence from the live Azure build.

All screenshots included below are packaged inside this folder under images/. Click any card to open the full screenshot.

Architecture

End-to-end Azure architecture

Final Weather Tracker architecture showing GitHub Actions, Docker, ACR, Container Apps, Azure Monitor, and Key Vault.

Container Apps

Live Azure Container Apps UI

Weather search working from the public HTTPS Container Apps endpoint.

GitHub Actions

CI/CD pipeline success

GitHub Actions built the Docker image, pushed to ACR, and updated Container Apps successfully.

Key proof

Docker Desktop container

Local container running with Docker Desktop before cloud deployment.

ACR / Docker

Docker images and ACR tag

Local Docker image and tagged ACR image ready for push.

ACI

Azure Container Instances test runtime

Short-lived ACI validation proving the ACR image runs in Azure.

Local container

Local container homepage

Weather Tracker running locally from the Docker container.

App Service

FastAPI cloud deployment

Earlier App Service deployment validating the web app before container production runtime.

Telemetry

Application Insights request telemetry

Application Insights request records for live application traffic.

Structured logs

Application Insights traces

Structured weather request logs showing city, result, and context.

Error logs

Weather API error traces

KQL trace results showing Weather API HTTP errors used for alerting.

Alert

Azure Monitor fired alert

Azure Monitor fired the weather API error alert when the threshold was crossed.

Alert details

Log search alert detail

Azure alert details showing query, threshold, and fired condition.

Action Group email notification

Email notification from Azure Monitor proving the alert action group worked.

Troubleshooting

KQL syntax issue

A real scheduled query/KQL syntax issue encountered and fixed during alert creation.

Troubleshooting

Initial no-results query

Early Application Insights query returning no traces before instrumentation was corrected.

Requests

Successful request table

Application Insights requests table populated after telemetry started flowing.

Telemetry

Empty traces stage

One of the early telemetry validation screens before logs appeared correctly.

Overview

Application Insights overview

Application Insights overview used during monitoring validation.

Metrics

Application Insights metrics overview

Azure metrics dashboard evidence from the monitoring stage.

API error

Unauthorized API key issue

Early local WeatherAPI 401 issue, later fixed by correct API key/environment configuration.

Validation walkthrough

How the project was tested end to end.

The validation flow proves the app works at every stage: local runtime, Azure App Service, telemetry, Docker, ACR, ACI, Container Apps, CI/CD, and Key Vault-backed secret delivery.

Build local MVP

Created a FastAPI app with city search, forecast display, favourites, and a health endpoint.

Deploy to App Service

Validated cloud hosting with Azure App Service, environment variables, and Gunicorn startup.

Add telemetry

Integrated Application Insights and validated requests, traces, errors, and KQL queries.

Configure alerts

Created Azure Monitor alert rules and Action Group email notifications for Weather API failures.

Containerize

Created Dockerfile and .dockerignore, then tested the container locally with environment injection.

Publish to ACR

Tagged and pushed the container image to Azure Container Registry.

Validate with ACI

Ran the image in Azure Container Instances as a short-lived validation runtime, then deleted it for cost control.

Deploy to Container Apps

Created a Container Apps environment and deployed the app with public HTTPS ingress and scale-to-zero.

Automate with GitHub Actions

Configured CI/CD to build Docker images, push to ACR, and update Container Apps on every push.

Secure with Key Vault

Stored the WeatherAPI key in Key Vault and connected it to Container Apps using managed identity.

Tech stack

Azure-native services and implementation building blocks.

The stack is deliberately focused on Azure Cloud Engineer skills: compute hosting, containers, monitoring, CI/CD, and secret management.

Application and runtime

Python 3.12
FastAPI
Jinja2 templates
SQLite for development storage
HTTPX for WeatherAPI calls
Gunicorn with Uvicorn workers

Azure and DevOps

Azure App Service
Application Insights and Azure Monitor
Azure Container Registry
Azure Container Instances
Azure Container Apps
Azure Key Vault and managed identity
GitHub Actions CI/CD

Project snapshot

Weather Tracker Azure Cloud Engineering Project

A production-style Azure workload demonstrating FastAPI hosting, structured logging, monitoring, Docker, ACR, ACI validation, Container Apps, GitHub Actions, and Key Vault-backed secret management.

FastAPI Docker ACR Container Apps Azure Monitor Key Vault GitHub Actions

Live URL

Azure Container Apps endpoint

Primary runtime

Azure Container Apps

Image registry

Azure Container Registry

CI/CD

GitHub Actions build → push → deploy

Monitoring

Application Insights + Azure Monitor alerts

Security

Key Vault secret reference via managed identity

Jump to full engineering deep dive →

Challenges & lessons learned

What broke during the build — and how it was fixed.

The strongest learning came from real Azure errors: quota limits, startup dependency issues, telemetry gaps, CLI syntax differences, ACI crash loops, port mapping quirks, and RBAC permissions for Key Vault.

App Service deployment initially failed because Gunicorn was missing

›

The FastAPI app had a production startup command using Gunicorn, but gunicorn was not in requirements.txt. Adding it fixed the App Service startup path.

Symptom: site stuck starting or failed runtime.
Fix: add gunicorn==23.0.0.
Lesson: startup commands and dependencies must match.

Application Insights showed useful data only after proper instrumentation

›

The first monitoring setup created Application Insights but did not show useful FastAPI request telemetry. The fix was to use Azure Monitor OpenTelemetry and initialize it before the app fully loaded.

Azure Monitor alert syntax required CLI-specific query formatting

›

The scheduled query alert failed until the query placeholder syntax was corrected using a named condition query.

ACI entered CrashLoopBackOff because the WeatherAPI key was not passed correctly

›

The local Docker container worked because it read .env, but the Azure CLI deployment needed the shell variable exported explicitly.

Key Vault access failed until RBAC was assigned correctly

›

Creating the Key Vault with RBAC enabled did not automatically grant permission to set or read secrets. The fix was to assign Key Vault Secrets Officer to the user and Key Vault Secrets User to the Container App managed identity.