Attaching a ACI to existing vNet

[georgeslegros]

Hi there,

Is there a way to start an ACI and tell it to have a private IP from a specific range in an existing vNet?

Thanks,

[seanmck]

Not yet, but this is planned.

[georgeslegros]

Thanks for the reply. Any ETA already?

[seanmck]

End of this year is the goal, but no concrete date yet.

[seanmck]

We are getting closer to having this available and want to make sure that we're going to cover the scenarios that you're looking at. Can you provide a brief description of how you would use an ACI container in a vnet? In particular, what other types of resources would the container be talking to and what types of restrictions would you need to place on it via network security groups?

[georgeslegros]

Very good to hear.

Basically the scenarios are to host an internal web app (more like an API) that can only be used by our backend applications that are running in a vNet. That could also be to start a container that would need to have access to our backend applicatons that are only accessible from within the vNet (as opposed to public internet).

In other words we have

[Client (JS)] - [FrontEnd] - [API] - ## - [Backend services] - [Database and other internal stuff]

Anything on the right of the ## is NOT accessible from public internet and is therefore protected.

EDIT: ACI would sit at the right end of the schema among with other stuff

[seanmck]

Thanks @georgeslegros. One follow-up: are all of the things on the right that you want your ACI containers to be able to reach running in IaaS VMs today?

[georgeslegros]

Hi @seanmck , thanks for following up. The database is SQL Azure but ACI will not connet to it. Other things are either in VMs or VM Scale Sets (in case it makes a difference).

To be a bit more precise about the use case: we have to run calculations on data. Our backend will prepare the data in a form that the app on ACI will be able to understand and will send the "job" to the ACI container. Once the job is finished, the result is returned. In other words, it is a "calculation as a service" system.

[georgeslegros]

Hey @seanmck ,

Any updates on this?

Thanks,

[jluk]

Hey @georgeslegros - Sean is currently on paternity leave but I can help out here. There was a sizeable delay in this functionality but it is back on track for the summer timeframe of this year. Apologies for the change in time line, but I read through your scenario and it looks like we will capture it. (private connection between ACI and other VMs in the same VNET)

Are there any other nuanced or workload scenarios you need ACI in a VNET for?

[dcieslak19973]

We have an Express Route and a restriction from our InfoSec team against exposing anything on the Public Internet. Once VNETs are supported in ACI, I can begin to use it to run services and workloads in a network address space that can access on-prem resources and be accessed by on-prem resources via Express Route and NOT exposing anything to the Internet.

[jluk]

Makes sense, we have other folks with this same ExpressRoute requirement so we should hopefully have you unblocked when this feature lands. In general the experience would be that you define a network profile for your containers, this contains the details of the VNET you want it to join. That network profile would define a subnet that is dedicated to Azure Container Instances which can route to other subnets within your private VNET. When you deploy ACI you simply pass the reference to the network profile you want the deployment to live within.

[dcieslak19973]

That seems reasonable.

What happens in the event that the VNET has no more available IP addresses? Would the container stay in a pending state until one became available?

[jluk]

The deployment would fail with an allocation error reporting the issue, basically the deployment expects to find an IP successfully and wouldn't succeed without one.

[msivers]

Any news on this feature? @georgeslegros @jluk

[jluk]

In-flight, stay tuned for news in the near future! If you have a desire to participate in a private preview, email me your workload scenario and networking requirements at juluk [at] microsoft.com - otherwise sit tight we're working hard.

[sachinkshetty]

any update on the above feature

[jluk]

@sachinkshetty we're still in-flight, the offer for a private preview access is still available via email to me. Otherwise sit tight, we have some exciting announcements in the near future! Thanks for your patience!

[sdktr]

hi @jluk, is the CNI announcement from today a pointer that we can expect this anytime soon?

[seanmck]

@sdktr This is in public preview now. Check out https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet

[seanmck]

With the launch of the preview today, I'm going to mark this issue closed. Thanks all for your patience and feel free to open new issues for specific problems you might have with the functionality.

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet

[TripleEmcoder]

Is there a different issue tracking Windows container support?