0

So what I'm doing is I've got a VM running in Azure. Simple enough, but what it's doing we want to secure from the outside world. I've got specific ports open, 8000, to everything on the 10 vlan, and my specific public IP that I"m using. Accessing the data that way works fine. No issues, etc.

So so, I've gone out and created a VStudio Container API on my Mac using:

az container create --resource-group=<> -name <> --ip-address Public --ports 80

If I do that, I can access a dummy method call and it returns data as expected.

What I need though is to have the method itself reach out to the VM and interact with it. It's just doing HTTP Posts of Json, so not really a lot of rocket science between the two.

But I can't get the WebAPI in a container to access the VM. I've also tried --vnet=<> where the <> is the name of the vnet my VMs are sitting in, but still nothing.

It's almost as if I need to tell the box that it's got 2 NICs and that it can communicate to the 10 net via 1, and the public net on the other.

So any ideas what I'm missing?

Nick Jacobs
  • 579
  • 2
  • 9
  • 29

1 Answers1

1

What I understand is that you want to securely access the VM from a container instance. If so, then you need to create the container instance in the Vnet. This will enable that feature:

Container communication with virtual machines in the virtual network

But here is a limitation:

To deploy container groups to a subnet, the subnet cannot contain any other resource types.

It means that you need to create the VM in another subnet of the Vnet.

Create the container instance in the Vnet will lost the feature that accesses it from the Internet. So if you also need to access the container instance from the Internet, I will suggest you use the Azure Application Gateway, then put the container instance in the backend of the application gateway with the instance private IP.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • So I would assume that I'd use the `--vnet` part of the az container create then to put it in that particular subnet? (I'm chasing down the App Gateway stuff as we speak) – Nick Jacobs Aug 30 '19 at 15:15
  • @NickJacobs Yes, put the container instance in an existing Vnet or a new Vnet and it's different from the subnet of the VM. – Charles Xu Sep 02 '19 at 01:44
  • @NickJacobs Well, if you have any questions, please let me know. Maybe I can give you some help. – Charles Xu Sep 03 '19 at 01:42
  • Well, I've had good luck at using the App Gateway to an instance of a container. Now I'm in the process of wiring up the containers into something like Kubernetes or App Services containers. – Nick Jacobs Sep 03 '19 at 23:53
  • I will, let me work through the appgateway to kubernetes and then I'll post what some of what I've learned doing this too. – Nick Jacobs Sep 04 '19 at 13:39