Set up an Azure Container Instance
Purpose
This page describes the recommended approach for running BE-Code as an Azure Container Instance (ACI) without your own server infrastructure. You can optionally bind the service to Azure Key Vault to manage certificates centrally.
Prerequisites
- Active Azure subscription with sufficient permissions to create resource groups and Container Instances.
- Azure CLI installed on your workstation, or access to the Azure portal.
- Access to the BE-terna Azure Container Registry
becode.azurecr.io; authentication uses one ACR token per customer. - Optional: an Azure AD service principal with access to the Key Vault and a valid SSL certificate stored in the Key Vault.
Recommended order
- Sign in to Azure and to the Container Registry.
- Create a resource group.
- Create the Azure Container Instance.
- Verify the container and set up DNS forwarding.
- Test availability and configure the service URL in the BE-Code setup in Business Central.
Setup building blocks
Sign in
Sign in to Azure and to the Container Registry:
az login
az acr login --name becode
docker login becode.azurecr.io -u <token-name> -p <token-password>
Use a dedicated ACR token per customer rather than the registry admin account.
Create a resource group
az group create --name myResourceGroup --location westeurope
Replace myResourceGroup with your own name, and adjust westeurope to the Azure region you need.
Create the Azure Container Instance
Create the Container Instance that hosts BE-Code. Adjust resource group, name, image version, and environment variables. Avoid spaces in variable values:
az container create `
--resource-group myResourceGroup `
--name becode `
--image becode.azurecr.io/becode:latest `
--ports 1880 `
--registry-username <token-name> `
--registry-password <token-password> `
--location westeurope `
--vnet myVNET `
--subnet mySubnet `
--os-type Windows `
--environment-variables title="BE-terna" port="1880" `
azureClientID=<client-id> azureTenantID=<tenant-id> azureSubscriptionID=<subscription-id> `
vaultName=<vault-name> certificateName=<certificate-name> `
pfxFileName="C:\certs\cert.pfx" certPemName="C:\certs\cert.pem" privateKeyPemName="C:\certs\privkey.pem" `
flowfile="C:\data\flow.json" settingsfile="C:\data\settings.js" `
--secure-environment-variables azureSecretValue=<secret> certificatePw=<certificate-password> userPw=<strong-password>
Notes:
- If the virtual network lives in a different resource group than the Container Instance, pass the full VNet ID instead of the name.
--os-typesupports Windows or Linux; align with BE-terna support on which variant fits your version.- If you do not use Key Vault, drop the Key Vault variables. Without
userPw, the container starts with the demo default password and a self-signed certificate; this is not approved for production.
Verify the container
Check the run state and assigned address:
az container show --resource-group myResourceGroup --name becode --query "{FQDN:ipAddress.fqdn,ProvisioningState:provisioningState,Containers:containers[0].name,ContainerState:containers[0].instanceView.currentState.detailStatus}"
Then set up DNS forwarding to the FQDN or to your own subdomain.
Availability and integration
Open https://<fqdn>:1880/becode or https://<dns>:1880/becode in a browser. Configure the same URL in the BE-Code setup in Business Central and verify the connection with the Check connection action.
Process Operational notes Guardrails for secure operation and secrets management.
- Pass Key Vault values only via
--secure-environment-variables, never as plain-text variables. - Restrict Key Vault access to the container service principal and review it regularly.
- Do not expose the container without VNet or firewall protection.
- Roll out image updates in a maintenance window and verify the connection from Business Central afterwards.
Links