How to configure Azure ContainerApps with a Static Outbound IP?

Question

In the documentation for Azure ContainerApps Ports and IP Addresses section it indicates that the

Outbound public IP  

Used as the "from" IP for outbound connections that leave the virtual network. These
connections aren't routed down a VPN. Using a NAT gateway or other proxy for outbound
traffic from a Container App environment isn't supported. Outbound IPs aren't guaranteed
and may change over time.

The inbound IP for a ContainerApps Environment is fixed. Azure Container Instances (not ContainerApps) on the other hand seem to have documented capability to configure a static outbound IP via NAT Gateway.

Is there a way to configure a static outbound IP for Azure ContainerApps as well?

If not, which alternate deployment models for a long-running background service are recommended? The requirement is that an external service can count on a fixed outbound IP (or very small range, not the entire DataCenter IP ranges) for whitelisting.

** EDIT - It seems that NAT on VNet is not yet supported on ACA - https://github.com/microsoft/azure-container-apps/issues/522

the outbound ip is always static. could you please explain what the issue at the moment ? — Thomas, Mar 03 '23 at 07:27

score 0 · Answer 1 · answered Feb 03 '23 at 05:23

way to configure a static outbound IP for Azure ContainerApps as well?

No, we can't configure outbound public IP via container apps; that information is there in the official documentation documentation itself.

try this out, Create outbound application rule on the firewall using below command

az network firewall application-rule create

It will create an outbound rule on the firewall. This rule allows access from the subnet to Azure Container Instances.

HTTP access to the site will configure through egress IP address from Azure Container Instances.

i have found one blog refer this

score 0 · Answer 2 · answered May 30 '23 at 09:48

As per the documentation you referenced:

Outbound public IP Used as the "from" IP for outbound connections that leave the virtual network. These connections aren't routed down a VPN. Outbound IPs aren't guaranteed and may change over time. Using a NAT gateway or other proxy for outbound traffic from a Container App environment is only supported on the workload profile environment.

So you need to attach a workload profile to your app with custom vNET configuration: https://learn.microsoft.com/en-us/azure/container-apps/workload-profiles-manage-cli?pivots=aca-vnet-custom&tabs=external-env

After that, i suppose you can launch your NAT Gateway in that vnet: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-nat-gateway#deploy-a-nat-gateway-into-a-virtual-network

So the steps would be:

Create vNET

az network vnet create \
  --address-prefixes 13.0.0.0/23 \
  --resource-group "<RESOURCE_GROUP>" \
  --location "<LOCATION>" \
  --name "<VNET_NAME>"

Create a subnet

az network vnet subnet create \
  --address-prefixes 13.0.0.0/23 \
  --delegations Microsoft.App/environments \
  --name "<SUBNET_NAME>" \
  --resource-group "<RESOURCE_GROUP>" \
  --vnet-name "<VNET_NAME>" \
  --query "id"

Create the container app environment:

az containerapp env create \
  --enable-workload-profiles \
  --resource-group "<RESOURCE_GROUP>" \
  --name "<NAME>" \
  --location "<LOCATION>"

Create the container app with the previous env

az containerapp create \
  --resource-group "<RESOURCE_GROUP>" \
  --name "<CONTAINER_APP_NAME>" \
  --target-port 80 \
  --ingress external \
  --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
  --environment "<ENVIRONMENT_NAME>" \
  --workload-profile-name "Consumption"

Create a PublicIP

az network public-ip create \
  --name myPublicIP \
  --resource-group $resourceGroup \
  --sku standard \
  --zone 1 \
  --allocation static

Deploy a NAT with that IP

az network nat gateway create \
  --resource-group $resourceGroup \
  --name myNATgateway \
  --public-ip-addresses myPublicIP \
  --idle-timeout 10

Configure the NAT for the subnet

az network vnet subnet update \
    --resource-group $resourceGroup  \
    --vnet-name "<VNET_NAME>" \
    --name "<SUBNET_NAME>" \
    --nat-gateway myNATgateway

I haven't tested all the steps, but this should be the gist of it.

The ACA team still have the issue triaged and open for work in their repo, so I don't think there is a supported resolution for this yet. https://github.com/microsoft/azure-container-apps/issues/611 — pseabury, May 31 '23 at 13:05

How to configure Azure ContainerApps with a Static Outbound IP?

2 Answers2