Open paul-datatech911 opened 1 year ago
ijn-kruso
commented
1 year ago I just want to comment, and say we're experiencing the exact same issue. We have a few container apps in our container app environment that needs to whitelisted by external services.
The current best way to achieve this seems to be with custom vnet + nat gateway, but like you mentioned, it's expensive, and honestly doesn't seem like a good solution.
paul-datatech911
commented
1 year ago @ijn-kruso - Per the docs, NAT gateway is not yet supported for ACA, only ACI & probably AKS - but those come with their own problems & limitations.
Tapanila
commented
1 year ago Would be great to have NAT Gateway support for outbound traffic. The case I have would be that ACA which is publicly accessable would then make calls to external API which only allows connections from whitelisted IP addresses. We would like to use our existing NAT gateway which is used by our existing services. This would allow us to gradually move our logic into ACA.
paul-datatech911
commented
1 year ago @Tapanila - Once NAT gateway is supported, do you know if it's possible to keep inbound DNS binding AND bind outbound traffic to gateway IP?
Tapanila
commented
1 year ago @paul-datatech911 that's how it works on Azure App Service. Virtual Network NAT gateway integration on App Service.
That's the way I would like ACA to also work.
paul-datatech911
commented
1 year ago @paul-datatech911 that's how it works on Azure App Service. Virtual Network NAT gateway integration on App Service.
That's the way I would like ACA to also work.
@Tapanila good to know. ACI does not work that way with NAT gateway according to the docs. https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#unsupported-networking-scenarios
salluvada
commented
1 year ago @paul-datatech911 With regards to your statement "Currently ACA are ingress reachable via DNS and Static IP via the ContainerApps Environment (ACE)", Can you please point me to documentation on how that can be done. We are trying to achieve the same, to use a pre-existing static IP address for an instance of Azure Container Apps (ACA).
paul-datatech911
commented
1 year ago @salluvada - I don't know that you can assign one of your owned static IP's to ACE, but they do get static ingress IPs. The ACAs in the ACE also get DNS-reachable host names.
andresdrb
commented
1 year ago You can actually add a Nat gateway to the subnet where you have your container apps, but the communication with the cluster breaks for some reason (but the code in the app keeps working for a while though)
Gkopf
commented
1 year ago We are planning on putting our ACAE behind an App Gateway. It would be great if we could route outbound traffic through the public/static IP of the App Gateway.
frederic-saunier
commented
1 year ago We also are waiting for this issue to be solved to place several Container App behind a Nat Gateway. Our tests to activate one all proved what has been said previously. This made the ACA unreachable and even the Azure Portal interface for ACA unusable (page for ACA appears blank after Nat Gateway activation).
paul-datatech911
commented
5 months ago @SophCarp / @cachai2 - has this yet been addressed in any kind of way? Any new features/workarounds/suggestions?
We would simply like to bind a public static IP for outbound to either the automatically created Environment, or be able to specify one when creating an Environment - even for consumption ACA.
paul-datatech911
commented
5 months ago Since the docs indicate that the Workload Env Profile supports egress through NAT gateway, I created a new NAT gateway with a fixed egress public IP and my own VNet, and deployed a simple ACA to the environment that sends outbound messages. My testing shows that the messages are in-fact bound to the fixed IP...
Can one of you please confirm that this is a supported scenario and the docs linked above are correct @SophCarp or @cachai2 ?
Currently ACA are ingress reachable via DNS and Static IP via the ContainerApps Environment (ACE) but Outbound IP is dynamic.
Describe the solution you'd like.
ACA is supposed to be Containers as a Service for deploying APIs, microservices, and background tasks, but often this involves interacting with other external services which require whitelisting. As the top of the Containers abstraction food chain, ACA should be able to easily assign a purchased static IP address to an ACE so that any containers therein can egress on a known IP while still having the Ingress functionality intact.
** I would simply like to assign a purchased static IP to the ACE egress IP while keeping ingress capability.
Describe alternatives you've considered.
I tried to accomplish via Azure Container Instances (ACI) + VNet & NAT Gateway, but this is expensive and does not preserve ingress connectivity in the same way. See the limitations listed here https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#other-limitations
AKS is another alternative but seems far too heavyweight for the task. There are a limited number of compute models that can deploy background-task-type services (ACA/ACI/AKS/VM/Webjobs?/Legacy CloudService?), and containers seem to be the way forward, but should be able to achieve basic networking features.
Is there a way to get a range of outbound IPs from ARM or other? Similar to AppService - https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#find-outbound-ips