8

I am creating an Azure container instance to host an index for testing purposes. Currently I can only get it to work with IpAddressType set as Public, but of course this makes the index available to the world.

Is it possible to secure an Azure container instance with IP restrictions, preferably using PowerShell?

When I configure the container image with IpAddressType set as Private, I am unable to access the index.

Below is the command I am using to create the container instance: 

   New-AzureRmContainerGroup -ResourceGroupName $resourceGroup `
                              -Name indexcontainer `
                              -Image $image `
                              -IpAddressType Public `
                              -Location $resourceGroupLocation `
                              -MemoryInGB 6 `
                              -Cpu 2 `
                              -Port 9200
Andy McWilliams
  • 103
  • 2
  • 9

3 Answers3

5

TODAY:

Not with Container Groups, if you open up a port on the container group, it is public to the world.

Container-Group is the little brother (mini version) of full-on AKS.

AKS, the big brother, gives you more control.

See : https://learn.microsoft.com/en-us/azure/aks/internal-lb

-IpAddressType Accepted values: Public

https://learn.microsoft.com/en-us/powershell/module/azurerm.containerinstance/new-azurermcontainergroup?view=azurermps-6.13.0

Note, the only value accepted in documentation is "Public"

However, they put the placeholder in for future arguments besides "Public"...so I think they see this as a gap in functionality........

granadaCoder
  • 26,328
  • 10
  • 113
  • 146
  • So I just read the other answer about Preview.........that kinda lines up with what I say about the parameter that only takes one arguments......that there is something else that will eventually be available. – granadaCoder Dec 12 '18 at 22:45
3

As mentioned in the above comment, you can expose them to VNET now (in Preview)

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet

Once connected to a VNET you can use Network Security Groups to only allow traffic from allowed IPs or networks. The route you are currently taking will not work.

micahmckittrick
  • 1,476
  • 8
  • 11
  • 1
    I think you make the mistake, the NSG is unsupported in the vnet for container instance in the preview version. – Charles Xu Dec 06 '18 at 01:04
  • NSG wasn't supported when the preview was announced, but it is supported now (as of 12/09/18) – Anders Dec 10 '18 at 06:47
  • @Anders Which document shows that? I did not see it in the document. – Charles Xu Dec 10 '18 at 08:34
  • 3
    From the documentation page that was linked to: > Public IP or DNS label - Container groups deployed to a virtual network don't currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name Also: >Virtual network traffic routing - Custom routes cannot be set up around public IPs. Routes can be set up within the private IP space of the delegated subnet in which the ACI resources are deployed – Yehuda Makarov Feb 19 '20 at 19:24
3

Seems like no, at least natively with Azure Container Instance.
There are two options to deploy Azure Container Instances:

  1. publicIP - you can't restrict access to this type of deployment.
  2. Custom VNet - you can apply restrictions with the network security groups (NSG), but Azure Container Instances doesn't support exposing containers publicly in this case.
    See documentation:

Unsupported networking scenarios:
Public IP or DNS label - Container groups deployed to a virtual network don't currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name

As an option, you can try to do the following (it supports restrictions for HTTP/HTTPS traffic only):

  1. Put the Application Gateway before the ACI deployed in custom VNet to expose containers publicly (you can find some examples, like this one)
  2. Add IP whitelisting restrictions to NSG in custom VNet for ACI.
Dmytro Kutetskyi
  • 701
  • 6
  • 11