search

Azure / aca-landing-zone-accelerator

The Azure Container Apps landing zone accelerator is an open-source collection of architectural guidance and reference implementation to accelerate deployment of Azure Container Apps at scale.
https://aka.ms/aca-lza
MIT License
180 stars 95 forks source link

Front Door with Private Link #114

Closed nad-au closed 10 months ago

nad-au commented 1 year ago

I'm trying to update the scenario to use Front Door in place of Application Gateway but having problems with the Front Door module. I've had to fix some of the Terraform scripts, for example, in https://github.com/Azure/aca-landing-zone-accelerator/blob/main/scenarios/aca-internal/terraform/modules/06-front-door/local.tf

containerAppsDefaultDomainArray   = split(var.containerAppsDefaultDomainName, ".")
containerAppsNameIdentifier       = local.containerAppsDefaultDomainArray[index(local.containerAppsDefaultDomainArray, var.location)]

should be:

containerAppsDefaultDomainArray   = split(".", var.containerAppsDefaultDomainName)
containerAppsNameIdentifier       = local.containerAppsDefaultDomainArray[index(local.containerAppsDefaultDomainArray, var.location)-1]

which makes me wonder if this module has been tested?

Anyway after fixing some of the scripts I'm having problems when creating the Private Link Service. Here's the Terraform output:

╷
│ Error: creating Private Link Service: (Name "pls-fd-sbox-lz-01" / Resource Group "rg-sbox-spoke-lz-01"): network.PrivateLinkServicesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateLinkServiceCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private link service /subscriptions/***/resourceGroups/rg-sbox-spoke-lz-01/providers/Microsoft.Network/privateLinkServices/pls-fd-sbox-lz-01 cannot be created in a subnet /subscriptions/***/resourceGroups/rg-sbox-spoke-lz-01/providers/Microsoft.Network/virtualNetworks/vnet-sbox-spoke-01/subnets/snet-infra since it has private link service network policies enabled." Details=[]
│ 
│   with module.frontDoor.module.frontDoor.azurerm_private_link_service.privateLinkService,
│   on modules/frontdoor/main.tf line 6, in resource "azurerm_private_link_service" "privateLinkService":
│    6: resource "azurerm_private_link_service" "privateLinkService" ***
│ 
╵

I've looked around and I've found no complete solution for creating private ACA with Front Door through Private Link. The closest is https://github.com/microsoft/azure-container-apps/wiki/Create-a-private-ACA-environment-with-Azure-Front-Door

Do you have any guidance on this? Would love to get this working and happy to raise a PR for the fixes.

nad-au commented 1 year ago

Just noticed https://github.com/microsoft/azure-container-apps/issues/867 and wondering if its worth continuing with Front Door if Private Link is unsupported with workload profile. Are there any other options for Front Door?

wsloth commented 11 months ago

I'm struggling with the same thing: private linking to front door does not seem possible because the load balancer produced by Azure Container Apps is an IP-based load balancer (called capp-svc-lb) which is not supported by the Private Link Service. I've also added the same information on this issue: https://github.com/microsoft/azure-container-apps/issues/867

thotheod commented 10 months ago

Hi all, you are correct. the current implementation of ACA with workload profiles, uses a load balancer with IP based Backend Pool which can’t function as a Private Link service. So for the time being AFD is not supported scenario. PG has flagged the related Issue in ACA repo as in progress/roadmap (https://github.com/orgs/microsoft/projects/540/views/1?query=is%3Aopen+sort%3Aupdated-desc&pane=issue&itemId=35488023).