Accessing Azure Container Instances deployed within a Azure Virtual Network
How to access an Azure Container Instance deployed within a vNet, from a public endpoint.
Azure Container Instances are a great way to fire up container-based applications with minimal effort.
Recently we decided to use ACI as a means to reduce our reliance on Azure Virtual Machines.
Besides moving away from infrastructure services, we had the following requirements.
- The container instance needs to be accessible from services via an azure virtual network.
- For any public interface like an admin UI, we need to have SSL.
- We need to be able to limit access using IP filtering.
During my initial discovery and proof of concept phase, I discovered that Azure Container Instances deployed to a virtual network could not be accessed using a public IP address using purely native ACI.
The ACI documentation does, however, suggest that public access can be achieved with some additional components, namely, Azure Firewall or Application Gateway.
I explored these options further, and my thoughts were
- Azure Firewall
- Expensive (+- $1200/month)
- Azure Application Gateway
- Have had mixed reliability results with AG before
- Does not support platform managed SSL certificates
- Not user friendly
I also explored the idea of using an Azure Point-to-site VPN, but that created more friction for anyone needing to access the service.
If you’re not aware, Azure Function Apps natively support the ability to act as a proxy, but some other specifics about our solution made that inappropriate.
Our initial decision was to bite the bullet and go with the App gateway option, but be conscious that there is the additional responsibility to manage certificates.
Fortunately, later that evening, it dawned on me that we could use Microsoft YARP (Yet another reverse proxy) within an ASP.NET core application deployed to an Azure Web Application.
Using this solution, we can leverage the existing App Service functionality to meet our requirements above.
- App Service vNet integration
- Managed custom domain certificates
- App service IP restrictions
Honestly, this worked out great; I’m thrilled with how it all turned out.
Here’s how you can also implement this.
This solution example is deployed using the Azure CLI and is comprised of the following Azure resources.
- 1 x Azure Resource Group
- 1 x Virtual Network
- 2 x Subnets (You can’t mix resource types inside the subnet)
- 1 x subnet for ACI
- 1 x subnet for the Web App vNet integration
- 1 x Azure Container Instance App
- Deployed to the ACI subnet within the vNet
- Running the Microsoft
- 1 x App service plan - this needs to be at least the
S1sku to support vNet integration
- 1 x App service
- 1 x ASP.NET Core 6
- Implemented using the minimal API
- YARP installed and configured
- The custom app then deploys from my GitHub repo
To deploy this solution you will need to do the following steps
- Open Powershell
- Login with the Azure CLI
- Copy the script below
$ProxyWebAppName- this is the web app name and needs to be globally unique within Azure
- Execute the script
- The final CLI command will output the details for the proxy web application for you to use in a browser.