Azure container Instance in a Vnet doesn't support static IP or DNS name

Question

Hi,

I am deploying containers in ACI group in a private V-Net and the main problem which I am facing is that this doesn't support a DNS name label and also I can't set a static IP to it. As the IP is not static and there is no DNS name label, when we stop the containers then there is no guarantee that the private IP will remain the same when we start it again.

As the ACI group IP is required to access the apps running in the containers through an API end point and on the instance of IP change we have to change the IP everywhere again, which is not feasible.

Another disadvantage is that, as we can't set a pre-defined IP address for ACI the IP address will only be known after the ACI is started in Azure. This way we can't provide the ACI IP/URI as our environment variable in ACI YAML script which is required in our app to send the app API URI to other apps.

The above problems will be resolved if we deploy ACI publicly, but as this method has no restriction and no NSG support, we can no way afford to expose our Application APIs in the open internet.

Please suggest how to tackle this issue of absence of static IP or DNS name label in an ACI in private V-Net.

Thank You.

Answer 1

The best solution we could come up for this issue with was to create a Private DNS zone, give the container's service principal or identity Private DNS Zone Contributor access, and run the following as part of the entrypoint script for the container:

az network private-dns record-set a update --name <name> -g <resource-group> -z <zone-name> --set aRecords[0].ipv4Address=$(hostname -i)

I'd imagine a similar solution will work using other APIs or with public DNS Zones.

This is the only way that currently seems to handle the rotation of the the IPs on container startup.

Note, I'd really like to see similar functionality built into the Container Instance offering to make them more functional out of the box.

Answer 2

This can be achieved by registering the IP address of your ACI container in your DNS. Please try that and let me know if you have any questions.

Answer 3

YAML file to accomplish this

location: centralus
name: dns-zone-test-a
properties:
initContainers:

• name: inita
  properties:
  image: mcr.microsoft.com/azure-cli:latest
  # redirection of output to a file for these commands is optional...a nice to have to confirm what's working
  command: ['/bin/sh', '-c', 'az login --service-principal -u $SP_APPID -p $SP_PASSWORD --tenant $SP_TENANT > /scripts/outsp_a.txt;
  az container show -n $ACI_NAME -g $RG --query ''ipAddress.ip'' -o tsv > /scripts/swac_a.txt;
  my_private_ip=$(az container show -n $ACI_NAME -g $RG --query ''ipAddress.ip'' -o tsv);
  az network private-dns record-set a create -n $HOSTNAME -z $DNS_ZONE_NAME -g $RG > /scripts/crzone_a.txt;
  az network private-dns record-set a add-record --record-set-name $HOSTNAME -z $DNS_ZONE_NAME -g $RG -a $my_private_ip > /scripts/addzone_a.txt;']
  environmentVariables:
• name: RG
  value: myResourceGroup
• name: SP_APPID # service principal with the permissions to update private DNS zone
  value: 5xxxxxxxxxxxxxx
• name: SP_PASSWORD # service principal password
  secureValue: byyyyyyyyyyyyyyy
• name: SP_TENANT
  value: bzzzzzzzzzzzzzzzzzz
• name: DNS_ZONE_NAME
  value: dns-zone-mine.com
• name: HOSTNAME
  value: dns-zone-test-a
• name: ACI_NAME
  value: dns-zone-test-a
  volumeMounts: # needed only if redirecting the output from the commands above to a file
• name: initscript
  mountPath: /scripts/
  containers: # any docker container you want
• name: cab-a
  properties:
  image: MyRegistry.azurecr.io/contest1:latest
  ports:
• port: 80
  protocol: TCP
  resources:
  requests:
  cpu: 1.0
  memoryInGB: 1.5
  imageRegistryCredentials: # Credentials to pull a private image
• server: MyRegistry.azurecr.io
  username: MyUserRegistry
  password: 5xxxxxxxxxxxxx
  volumes: # only needed if redirecting the output from the commands above to a file
• name: initscript
  azureFile:
  readOnly: false
  shareName: initscript
  storageAccountName: myStorage
  storageAccountKey: zzzzzzzzzzzzzzzzzzzzzzzzzzz
  ipAddress:
  ports:
• port: 80
  protocol: TCP
  type: private
  osType: Linux
  subnetIds:
• id: /subscriptions/xxxxyyyyyzzzzz/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet/subnets/MyTestSubnet
  name: default

dnsConfig: # DNS configuration for container group: not needed likely for this test, and may interfere with private DNS zone usage

nameServers:

- 192.168.1.44

tags: null
type: Microsoft.ContainerInstance/containerGroups

Answer 4

Another workable solution is using a function app:

1. Create a http trigger.
2. Create a Powershell script to query your ACIs current private IP address and update your private zone record.
3. You will need the Az.ContainerInstance and Az.Privatedns modules as requirements.
4. Get your function URL (Trigger).
5. You will need curl or wget or similar on the container to be able to call the URL from the container.
6. Now you have two choices, you can use an initcontainer as detailed above or what I did is I modified the docker-entrypoint.sh and popped the http trigger URL in there.
7. Everytime the ACI reboots the trigger will fire and update the IP.
8. A managed identity on the function app will handle DNS write permissions too so no need for a service principle and the hassle of expiring secrets.

Hope this helps!

Answer 5

Do we know if or when this is going to be resolved as VNET integration for ACI is in GA release.
I don't see how anyone can use a private ACI when the IP hops (unless they have some other dapr / service discovery platform).

Container Instances needs to support static private IPs otherwise it's pointless and in some cases a security issue. The IP can be swapped with another container-group and therefore grant access via Azure App Gateway. This is a nightmare!