Container Instances

container-instances

container-instances is the container-group triage command for Azure Container Instances public endpoint, runtime, network, and identity cues.

Use it when you need to know which container groups deserve review before you start opening shared workload joins, endpoint detail, or token-path follow-up.

What This Command Answers

• Which container groups matter first?
• Which groups combine public reachability, managed identity, or useful runtime posture in a way that matters now?
• Which container group should change what you inspect next?

Run It

ho-azure container-instances --output table

For saved structured output:

ho-azure container-instances --output json

Example Table Output

container group	endpoint	network	identity	runtime	images	why it matters
aci-public-api	aci-public-api.eastus.azurecontainer.io, 52.160.10.30	ports 80, 443	SystemAssigned	os=Linux; restart=Always; containers=2; state=Succeeded	mcr.microsoft.com/azuredocs/aci-helloworld:latest (+1 more)	Public endpoint plus managed identity makes this a stronger immediate pivot candidate.
aci-internal-worker	-	subnets=1	SystemAssigned, UserAssigned; user-assigned=1	os=Linux; restart=OnFailure; containers=1; state=Succeeded	ghcr.io/harrierops/internal-worker:2.0	No public endpoint is visible, but the group still carries managed identity and subnet placement worth review.

When To Use It

• when container groups may be more important than they first appear
• when you need to rank Azure Container Instances before deeper identity, workload, or endpoint review
• when public reachability, subnet placement, or managed identity makes one group stand out

What To Look For

• public IPs or FQDNs first
• managed identity presence
• exposed ports or subnet placement that change the likely next move
• runtime cues such as restart policy, OS, and container count

Why It Matters

A container group can be both exposed and privileged.

A publicly reachable container group with managed identity can matter much more immediately than a lot of quiet compute inventory. Even an internal-only group can still matter if it carries strong identity or sits in a sensitive subnet. container-instances helps you surface that quickly.

What Should Stand Out First

• groups with visible public IPs or FQDNs first
• managed-identity-backed groups near the top inside that public set
• clearer endpoint context such as FQDN plus public IP before quieter rows
• runtime and network cues that explain why the group matters operationally

If You See..., Go Next To...

• If you see a public endpoint and managed identity on the same container group, go next to Tokens-Credentials because it shows whether that workload already surfaces a managed-identity token path.
• If you see managed identity on a container group that looks important, go next to Managed-Identities because it shows the identity object and attachment context behind that workload.
• If you want the cross-service compute picture, go next to Workloads because it shows how that container group compares with other exposed or identity-bearing workloads.
• If you want the public endpoint separated from the runtime details, go next to Endpoints because it shows the named hostname or IP surface alongside other visible Azure entry paths.

What To Do Next

• Start with the groups that combine public reachability and managed identity.
• Treat ACI groups as first-class workload review targets, not background container noise.
• Use endpoint, network, and identity cues to decide whether the next question belongs in workloads, endpoints, identities, or tokens.

Loot Behavior

Loot currently keeps the top-ranked rows for this command. That ordering is useful, but it is not yet a shipped semantic high / medium / low analyst contract unless the command explicitly labels rows with a defended priority contract.

Boundary

container-instances is a container-group triage command.

It should rank the container groups that most deserve follow-up first. It is not image looting, content retrieval, deep runtime dumping, or exploit validation.