13

Is there built-in support for enabling SSL on Azure Container Instances? If not, can we hook up to SSL providers like Lets Encrypt?

Saca
  • 10,355
  • 1
  • 34
  • 47
GPA
  • 133
  • 1
  • 4

3 Answers3

11

There is nothing built-in today. You need to load the certs into the container and terminate SSL there. Soon, we will enable support for ACI containers to join an Azure virtual network, at which point you could front your containers with Azure Application Gateway and terminate SSL there.

Sean McKenna
  • 3,706
  • 19
  • 19
  • 3
    Any timeline on this? I assume we'll also be-able to restrict access to public ip addresses from outside the virtual network once this is available? – Starchand Apr 17 '18 at 10:14
  • We're bringing in custom VNET support this fall 2018. This will enable setting up an app gateway to terminate SSL as Sean mentions, you will also be able to restrict communication from outside the VNET as the ACI resources will be able to be assigned to a delegated subnet. – jluk Aug 01 '18 at 21:52
  • 1
    We also have a great sidecar tutorial here that shows how to setup SSL termination with a multi-container group supported by Linux on ACI today. https://medium.com/@samkreter/adding-ssl-tls-to-azure-container-instances-1e608a8f321c – jluk Aug 01 '18 at 21:53
  • @jluk how can I use your tutorial to manage multiple apps(in different ports) with one nginx instance? – nicolasl Nov 05 '18 at 17:36
  • 1
    Hi, I see now there is a support to add ACI container in Virtual Network. When we add ACI container in Virtual Network then it will have private IP Address and not FQDN. That means Azure Application Gateway needs to be configured to use static IP address of ACI instance. I have a doubt if my ACI Instance IP address will get changed when ACI Instance is restarted due to some reason. That will break the frotnend. – RonakThakkar May 28 '19 at 06:38
  • 1
    What about windows containers? side loading is not possible and joining a virtual network is also not possible. – rfcdejong Jul 17 '20 at 14:44
5

As said above, no support today for built-in SSL when using ACI. I'm using Azure Application Gateway to publish my container endpoint using the HTTP-to-HTTPS bridge. This way, App Gateway needs a regular HTTPS cert (and you can use whichever model works best for you as long as you can introduce a .PFX file during provisioning or later during configuratiorn) and it will then use HTTP to talk to your (internally facing) ACI-based container. This approach becomes more secure if you bind your ACI-based container to a VNET and restrict traffic from elsewhere.

To use SSL within the ACI-container you'd need to introduce your certification while provisioning the container, and then somehow automate certificate expiration and renewal. As this is not supported in a reasonable way, I chose to use the App Gateway to resolve this. You could also use API Management but that is obviously slightly more expensive and introduces a lot more moving parts.

I blogged about this configuration here and the repo with provisioning scripts is here.

Jussi Roine
  • 51
  • 1
  • 1
  • Hi Jussi, are you saying that you can pair Application Gateway (including SSL cert) with an internally-facing ACI-based container _without_ using a VNET? I'm trying to introduce SSL to an ACI-based Windows container, but a number of key features like container group deployment into a virtual network are not yet supported for Windows containers. – w5m Jul 28 '22 at 15:15
-1

You can add SSL support at the API Gateway and simply configure the underlying API over HTTP.

You will need the secrete key to execute above api method!

You can access the underlying API hosted at the Azure Container Instance. This method does not require jwt token as this is a demo api.

Prodip
  • 436
  • 8
  • 21
  • The first link in this answer is no longer working (there is an issue with the Azure subscription. Plus, I'm not sure this actually answered the question of "how" you would do any of this. – Martin Peck Jun 29 '18 at 08:50