A one-click Ghost deployment on Azure with options to deploy it to:
Please note that both deployment options might not be the best option cost-wise to run a small personal blog on Ghost in Azure. The goal of those deployment templates is to showcase how you can automate the process of setting up a containerized application with various infrastructure dependencies in Azure.
This is a Ghost blogging platform deployed as a container on Azure services. By default, it uses a custom Ghost Docker image with Azure Application Insights support, which you can easily replace with the Ghost container official image via the template parameters.
It also leverages Azure Database for MySQL to store the application data.
The deployment configuration is provided as ready-to-use Bicep templates that deploy and configure all required Azure resources:
- a VNet for private endpoints and internal app communication;
- a Web App or Container App for running the Ghost container;
- a Key Vault for storing secrets such as database passwords;
- a Log Analytics workspace and Application Insights component for monitoring the application;
- an Azure Database for MySQL Flexible Server;
- an (optional) Front Door profile to secure and offload the traffic from the app.
All resources have their diagnostic settings configured to stream resource logs and metrics to the Log Analytics workspace.
For the complete list of settings, please refer to the following blog posts:
- Ghost on Azure: Project Update. New Ghost 5 image, Azure MySQL Flexible Server, Azure Private Link, RBAC for Key Vault, and App Service access restrictions to Azure Front Door
- How to connect to Azure Database for MySQL from Ghost container
- Ghost deployment on Azure: Security Hardening
- A one-click Ghost deployment on Azure Web App for Containers
You can deploy it as a Web App with public access or a Web App fronted by an Azure Front Door Standard profile. If deployed with the Azure Front Door Standard profile, the Web App is configured with access restrictions allowing traffic from the Front Door profile only.
Post-deployment steps: none.
Check for the endpointHostName deployment output value for the app URL. Depending on the deployment configuration (Web App with public access or with Azure Front Door), it will point to the Web App or to the Front Door profile public endpoint.
It takes some time for the Ghost container to be pulled/started and the application to be initialized, so check the container deployment logs on the Web App for container status.
You can deploy it as a Container App with public access in a Container App Environment with public ingress enabled or a Container App in a locked-down Container App Environment accessible only via the Azure Front Door (Premium) private link. If deployed with the Azure Front Door private link, the Container App endpoint is inaccessible from the public network, which is good practice for production deployments.
Post-deployment steps:
- Approve the private endpoint connection request from the Azure Front Door profile on your Container App Environment. This step cannot be automated, as you essentially need to approve a connection via Private Link from the Front Door externally managed environment.
- Check and copy the
endpointHostNamedeployment output value for the app URL. Depending on the deployment configuration (Container App with public access or with Azure Front Door), it will point to the Container App or to the Front Door profile public endpoint. - Update the
urlenvironment variable in the container properties with theendpointHostNameoutput value. Ghost needs that variable to point to the website FQDN to work correctly. Updating a container (app) variable creates a new app revision.
It takes some time for the Ghost container to be pulled/started and the application to be initialized, so check the container deployment logs on the Container App for container status.