0

I have an application gateway with frontend public IP address, connected to a VNET via its subnet and using a single backend pool that points to a container group in the same VNET but different subnet.

The backend pool points to the IP address of the container group. That works!

But I don't want to rely on an IP address that could change anytime with the container restart. I already use a private DNS zone linked to the VNET. The container group is accessible as "mycontainer.my-azure.com" from the VNET thanks to the A record in my private DNS zone.

But putting "mycontainer.my-azure.com" as the FQDN of the backend pool does not work. It works with the IP address "172.22.44.5" but "mycontainer.my-azure.com" does not resolve, backend health shows "Unknown". I tried restarting the APP GW from AZ CLI to no avail.

Does anyone know how to make APP GW use the VNET's private DNS zone in its backend pool?

Mirek
  • 4,013
  • 2
  • 32
  • 47

1 Answers1

2

If the application gateway backend pool contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses. Make sure the FQDN in the backend pool can be resolved internally.

You can verify the following configuration, it works on my side. I am using the Standard V2 SKU application gateway. The application gateway and container group were deployed into the same VNet but different subnets with no firewall rules. I use this example for deploying ACI.

Backend pool

enter image description here

HTTP setting

enter image description here

Listener

enter image description here

Health probe

enter image description here

Private DNS zone

enter image description here

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Holy s***....I couldn't get this exact example to work at all and after several hours I just gave up. The only difference is that we are using the WAF V2 AppGw. Also the VNET is using custom DNS IP addresses but I added the Azure DNS server 168.63.129.16 in there. I'll try this with the Standard V2 as you did. – Mirek Apr 26 '21 at 06:14
  • Why don't you use the default (Azure-provided) in the dns server of that vnet? That might be the problem. "If you are using custom DNS resolvers in the VNET where you plan to deploy your ACI, the containers will not inherit that configuration. ", Refer to https://aztoso.com/aci/azure-container-instances-custom-dns/ and https://github.com/MicrosoftDocs/azure-docs/issues/61488 – Nancy Apr 26 '21 at 07:12
  • That's set up by our admin, It is a part of the solution to connect Azure with on premises. I'm now finding out that the custom DNS is not an issue, it still works with Standard AppGw. But WAFv2 is not able to resolve custom DNS at all. Even when VNET is using Azure-provided DNS. – Mirek Apr 26 '21 at 07:32
  • Hang on...suddenly it magically works, the same setup I was testing yesterday. I have no idea what's happening. – Mirek Apr 26 '21 at 07:36
  • The Application gateway SKU v2 should work the same with the same configurations. If my solution helps you to narrow down this issue or it can help others who may face the same issue, you could accept this answer. – Nancy Apr 26 '21 at 07:55
  • I'm trying to figure out why my setup yesterday didn't work. If it works now then I'll accept your answer. If I find out a case in which it didn't work I'll accept your answer as well after updating it with more info about the non-working case. – Mirek Apr 26 '21 at 07:57
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/231597/discussion-between-mirek-and-nancy-xiong). – Mirek Apr 26 '21 at 07:59
  • Do you have more questions? To be honest, I can not guess what you have done on your side. If this issue has been fixed, Could you archive this thread via accepting it? – Nancy Apr 27 '21 at 01:06
  • 1
    Hey, we found out the custom DNS was a problem but it was confusing to figure that out because App Gw does not flush its DNS even after restart. So yeah, I'm gonna accept your answer. – Mirek Apr 27 '21 at 06:17
  • Hey, just to flag this approach doesn't fully work since Container Instances are subject to [restarts due to platform changes](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-application-gateway#create-container-group) (usually a few times a week) and that often results in a different private IP being allocated - [this article details a workaround](https://www.garyjackson.dev/posts/azure-container-instance-dns-private-ip/) which I haven't tried. Basically Container Instances are not suitable for persistant web services behind a Gateway as is :( – Brendan Jul 20 '23 at 08:54