search

Azure-Samples / java-microservices-aca-lab

Spring Petclinic Microservices with AI on Azure Container Apps
https://aka.ms/aca-lab
MIT License
6 stars 25 forks source link

Refine Lab 7 & Lab 8 #114

Open sonwan2020 opened 3 weeks ago

sonwan2020 commented 3 weeks ago

Currently, the lab 7 can not run separately

lab 7 4. Internal ACA when create the service connections between the apps and MySQL database, there will be errors prompt:

"message": "Execution failed. Attempt to get outboundIps: Failed to get IPs of source resource to set firewall rules, /subscriptions/6c933f90-8115-4392-90f2-7077c9fa5dbd/resourceGroups/rg-sonwan-vnet/providers/Microsoft.App/containerapps/customers-service.. Resource has internal VNet Configuration in environment."

At this moment, the connection between container apps and MySQL DB use public IP, but container app do not have outbound ip list

Even in MySQL, we allow public IP address and allow 0.0.0.0 - 255.255.255.255, this error persistent.

Lab 7 & Lab 8 are focus on security: Lab 7: Protect endpoints using Web Application Firewall Lab 8: Secure MySQL database and Key Vault using a Private Endpoint

For the above issues, we should use private endpoint together for "vnet internal" scenario.

Or we import private endpoint for database in a single lab: For Lab 7: Secure MySQL database using private endpoint -- build vnet internal container apps environment, and use private endpoint for database For Lab 8: Protect endpoints using Web Application Firewall -- in this lab we import kv for WAF and custom domain, and we use private endpoint for kv

sonwan2020 commented 3 weeks ago

for container apps in vnet, no outbound ip property in app, so there is no direct way to tell what is the outbound ip.

internally: For legion apps, the outbound ip list is the list of legion, long list For non-legion apps, the outbound ip list is the AKS outbound ip list

More ref:

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

sonwan2020 commented 3 weeks ago

For external components,

allxiao commented 3 weeks ago

Per discussed offline, this is more like to be a service connector command issue in ACA VNET environment, which needs to be fixed.

Let's not rush into heavy refactoring of Lab 7 and Lab 8, as this will require too much implementation effort in our team and the communication burden in external teams.