I've got an azure container instance... I've added it into a vnet... with a private IP address..10.0.0.4
I want only a handful of azure app services to be able to call the rest API that this azure container instance exposes, how do I give those azure app services the ability to call the container?
Cheers Andrew
There are several ways in which you might achieve this.
One would be to Configure a single public IP address for outbound and inbound traffic to an Azure container group With this method, you can deploy an Azure Container Instance in a Virtual network as you have already done.
Then,
First, use the az network vnet subnet create to add a subnet named AzureFirewallSubnet for the firewall. AzureFirewallSubnet is the required name of this subnet.
az network vnet subnet create \
--name AzureFirewallSubnet \
--resource-group $RESOURCE_GROUP_NAME \
--vnet-name $aci-vnet \
--address-prefix 10.0.1.0/26
Use the following Azure CLI commands to create a firewall in the subnet.
If not already installed, add the firewall extension to the Azure CLI using the az extension add command:
az extension add --name azure-firewall
Create the firewall resources:
az network firewall create \
--name myFirewall \
--resource-group $RESOURCE_GROUP_NAME \
--location eastus
az network public-ip create \
--name fw-pip \
--resource-group $RESOURCE_GROUP_NAME \
--location eastus \
--allocation-method static \
--sku standard
az network firewall ip-config create \
--firewall-name myFirewall \
--name FW-config \
--public-ip-address fw-pip \
--resource-group $RESOURCE_GROUP_NAME \
--vnet-name $aci-vnet
Update the firewall configuration using the az network firewall update command:
az network firewall update \
--name myFirewall \
--resource-group $RESOURCE_GROUP_NAME
Get the firewall's private IP address using the az network firewall ip-config list command. This private IP address is used in a later command.
FW_PRIVATE_IP="$(az network firewall ip-config list \
--resource-group $RESOURCE_GROUP_NAME \
--firewall-name myFirewall \
--query "[].privateIpAddress" --output tsv)"
Get the firewall's public IP address using the az network public-ip show command. This public IP address is used in a later command.
FW_PUBLIC_IP="$(az network public-ip show \
--name fw-pip \
--resource-group $RESOURCE_GROUP_NAME \
--query ipAddress --output tsv)"
Define a use-defined route on the ACI subnet, to divert traffic to the Azure firewall. For more information, see Route network traffic.
First, run the following az network route-table create command to create the route table. Create the route table in the same region as the virtual network.
az network route-table create \
--name Firewall-rt-table \
--resource-group $RESOURCE_GROUP_NAME \
--location eastus \
--disable-bgp-route-propagation true
Run az network-route-table route create to create a route in the route table. To route traffic to the firewall, set the next hop type to VirtualAppliance, and pass the firewall's private IP address as the next hop address.
az network route-table route create \
--resource-group $RESOURCE_GROUP_NAME \
--name DG-Route \
--route-table-name Firewall-rt-table \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address $FW_PRIVATE_IP
Run the az network vnet subnet update command to associate the route table with the subnet delegated to Azure Container Instances.
az network vnet subnet update \
--name $aci-subnet \
--resource-group $RESOURCE_GROUP_NAME \
--vnet-name $aci-vnet \
--address-prefixes 10.0.0.0/24 \
--route-table Firewall-rt-table
Finally,
By default, Azure Firewall denies (blocks) inbound and outbound traffic.
Create a NAT rule on the firewall to translate and filter inbound internet traffic to the application container you started previously in the network. For details, see Filter inbound Internet traffic with Azure Firewall DNAT
Create a NAT rule and collection by using the az network firewall nat-rule create command:
az network firewall nat-rule create \
--firewall-name myFirewall \
--collection-name myNATCollection \
--action dnat \
--name myRule \
--protocols TCP \
--source-addresses '$SOURCE_ADDRESSES' \
--destination-addresses $FW_PUBLIC_IP \
--destination-ports 80 \
--resource-group $RESOURCE_GROUP_NAME \
--translated-address $ACI_PRIVATE_IP \
--translated-port 80 \
--priority 200
Add NAT rules as needed to filter traffic to other IP addresses in the subnet. For example, other container groups in the subnet could expose IP addresses for inbound traffic, or other internal IP addresses could be assigned to the container group after a restart.
Note: Replace $SOURCE_ADDRESSES with a space-separated list of your App Services' outbound IP Addresses.
Run the following az network firewall application-rule create command to create an outbound rule on the firewall. This sample rule allows access from the subnet delegated to Azure Container Instances to the FQDN checkip.dyndns.org. HTTP access to the site is used in a later step to confirm the egress IP address from Azure Container Instances.
az network firewall application-rule create \
--collection-name myAppCollection \
--firewall-name myFirewall \
--name Allow-CheckIP \
--protocols Http=80 Https=443 \
--resource-group $RESOURCE_GROUP_NAME \
--target-fqdns checkip.dyndns.org \
--source-addresses 10.0.0.0/24 \
--priority 200 \
--action Allow
An alternative method can be to Integrate your App Service with an Azure virtual network. With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable network. The VNet Integration feature enables your apps to access resources in or through a VNet. VNet Integration doesn't enable your apps to be accessed privately.
Please find a pictorial example here. You can then connect the the App Service virtual Network with the ACI Virtual Network through Vnet-toVnet peering or Vnet-to-Vnet VPN Gateway
However, with this method, you will have to integrate all the Azure App Services that will be connecting to your ACI with a Virtual Network.
