A basic Dockerfile is not enough for production. You need to optimize for Security, Size, and Speed. A well-crafted container is the foundation of a stable microservice.
Use a "Build" stage with the full .NET SDK to compile your code, and a "Run" stage with just the ASP.NET Runtime to host it. This reduces your image size from 800MB to ~200MB, which means faster deployments and less storage cost.
By default, Docker runs your app as the 'root' user. This is a massive security risk. If an attacker exploits your app, they have full control over the container. **Architect Tip:** Use the `USER app` instruction in your Dockerfile to run your app with minimum privileges.
Order your Dockerfile correctly. Copy your `.csproj` files and run `dotnet restore` BEFORE copying your source code. This ensures that when you change a line of code, Docker can reuse the cached 'Restore' layer, making your builds 10x faster.
Q: "What is 'Distroless' and why should architects care?"
Architect Answer: "'Distroless' images contain only your application and its runtime dependencies. They do NOT contain shells, package managers (apt), or other standard Linux tools. This drastically reduces the **Attack Surface** of your container. If an attacker gets inside, they can't run scripts or install malware because the tools simply aren't there."