I am curious about the below situation regarding Azure and Docker containers:

If I am a web app developer, my applications are containerized with Docker, and I want to host my web apps on Azure, how would I go about it in an environment where I do not control access within the Azure environment, and my organization adheres to a minimal access policy, particularly where developers are not given access to networking internals.

I am asking this from personal experience running into issues with roles and privileges within Azure. Typically, if a developer needs a network resource or change (a new server, a new VM, a role change) this would be done through someone who has sufficient access. This includes changes to the Azure environment's networking, including Virtual Networks. However, Docker containers create the server runtime when they are deployed, essentially creating servers "at will".

So, how would one reconcile the use of Docker containers (app developers need network write access) with standard minimal access and a dedicated networking group (app developers should not have network write access and should delegate to a member of the networking group).

Our current way of doing things is using Container Instances, which take an image from Container Registry and deploys it if the user has route table write access, but I'm wondering if there is a better way to get Docker containers on Azure.