Open penfold opened 10 months ago
I have this need, currently using Azure Front Door premium with private link is out of budget.
Using service tags would be a great feature, I already use it with Azure App Services and it works very well, in Container Apps it will be great.
I also have this need. I do not wish to make a weekly job to update the ingress rules for every IP change. We use service tags for other products, and they work well.
I also have the same requirement.
FWIW I currently use a scheduled DevOps pipeline to:
The updates are done using 'az containerapp ingress update' https://learn.microsoft.com/en-us/cli/azure/containerapp/ingress?view=azure-cli-latest#az-containerapp-ingress-update
This is fine, but the updates are per CIDR and takes 20 minutes per ACA for a full set of AFD CIDRs for uksouth (71 of them).
Anyone know a better way to update multiple ingress IPs?
@AndyRace You can use az rest
to send a single PATCH request to the container app resource with the complete list of rules and the tags:
az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body '{"properties": {"configuration": {"ingress": {"ipSecurityRestrictions": [{"name": "rule1", "ipAddressRange": "1.2.3.4/32", "action": "Allow"}, {"name": "rule2", "ipAddressRange": "1.2.3.5/32", "action": "Allow"}]}}}, "tags": {"testtag": "test"}}'
It might be easier if you write the body to a file and use the @
notation:
az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body @body.json
@anthonychu just to let you know that that works a treat! My runtimes are down from hours to seconds and significanly simplifies the script. I could also ditch regularly re-scheduling the pipeline to retry -- since they were being cancelled after 1h. Thanks!
@AndyRace You can use
az rest
to send a single PATCH request to the container app resource with the complete list of rules and the tags:az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body '{"properties": {"configuration": {"ingress": {"ipSecurityRestrictions": [{"name": "rule1", "ipAddressRange": "1.2.3.4/32", "action": "Allow"}, {"name": "rule2", "ipAddressRange": "1.2.3.5/32", "action": "Allow"}]}}}, "tags": {"testtag": "test"}}'
It might be easier if you write the body to a file and use the
@
notation:az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body @body.json
is this supported via yaml ? I see tags in the json , are they supported now ?
@AndyRace You can use
az rest
to send a single PATCH request to the container app resource with the complete list of rules and the tags:az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body '{"properties": {"configuration": {"ingress": {"ipSecurityRestrictions": [{"name": "rule1", "ipAddressRange": "1.2.3.4/32", "action": "Allow"}, {"name": "rule2", "ipAddressRange": "1.2.3.5/32", "action": "Allow"}]}}}, "tags": {"testtag": "test"}}'
It might be easier if you write the body to a file and use the
@
notation:az rest -m PATCH -u '/subscriptions/****/resourceGroups/my-group/providers/Microsoft.App/containerapps/hello?api-version=2023-05-01' --body @body.json
is there a way we can do inside Terraform ?.
Is your feature request related to a problem? Please describe.
I want to limit access to a Container App to only be via Frontdoor (Service Tag: AzureFrontDoor.Backend).
Describe the solution you'd like.
There are Service Tags to limit inbound access. Currently, only IP addresses can be specified.
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-
Describe alternatives you've considered.
Not aware of any. Private Service Links don't work with ACA. (Even the hack to link to the internal load balance doesn't work with Workload profiles as it uses a different load balance setup than Consumption Only.)
See: https://github.com/microsoft/azure-container-apps/issues/402
Additional context.
N/A