Is there any way to use the KV REST API and have a static outbound IP address?
I have a dockerised programme running in an Azure Container Instance (ACI). It's a standalone container – no cluster. I have 2 requirements that seem to be in conflict:
- Read and write to a Key Vault
- Make selects on a DB hosted on Google Cloud
Yes I have part of the solution in Azure and part in Google. There's a genuine reason for this.
Read and write to a Key Vault
I've programmed in Ruby, so I'm using the REST API to access the KV. The first step of this is making a request to the Instance Metadata Service (IMS) to get an authorization token, on http://169.254.169.254/metadata/identity/oauth2/token. This worked great until I added an Azure Firewall.
Make requests to a DB hosted on Google Cloud Google Cloud requires that I specify the external IP address making selects. ACI doesn't provide a static outbound IP address. The solution to get a static address seems to be an Azure Firewall.
Firewall problem – Application Rules The firewall requires that I add one or more Application Rules to enable the programme to make outbound requests. These rules are qualified by a fully qualified domain name (FQDN), not an IP address. When I try to connect to the IMS, my connection times out with the following Ruby error details:
- Error class:
Net::OpenTimeout - Error message:
Failed to open TCP connection to 169.254.169.254:80 (execution expired)
I have tried 169.254.169.254 as an FQDN. Same outcome.
There are 3 other destination types: FQDN Tag, Web Categories (for web content firewalls) and URL (premium accounts only). I don't think any of these would help me.
Thanks, Guy
