Expose a static IP address for a container group

This article shows one way to expose a static, public IP address for a container group by using an Azure application gateway. Follow these steps when you need a static entry point for an external-facing containerized app that runs in Azure Container Instances.

In this article you use the Azure CLI to create the resources for this scenario:

  • An Azure virtual network
  • A container group deployed in the virtual network that hosts a small web app
  • An application gateway with a public frontend IP address, a listener to host a website on the gateway, and a route to the backend container group

As long as the application gateway runs and the container group exposes a stable private IP address in the network's delegated subnet, the container group is accessible at this public IP address.

Note

Azure charges for an application gateway based on the amount of time that the gateway is provisioned and available, as well as the amount of data it processes. See pricing.

Create virtual network

In a typical case, you might already have an Azure virtual network. If you don't have one, create one as shown with the following example commands. The virtual network needs separate subnets for the application gateway and the container group.

If you need one, create an Azure resource group. For example:

az group create --name myResourceGroup --location eastus

Create a virtual network with the az network vnet create command. This command creates the myAGSubnet subnet in the network.

az network vnet create \
  --name myVNet \
  --resource-group myResourceGroup \
  --location eastus \
  --address-prefix 10.0.0.0/16 \
  --subnet-name myAGSubnet \
  --subnet-prefix 10.0.1.0/24

Use the az network vnet subnet create command to create a subnet for the backend container group. Here it's named myACISubnet.

az network vnet subnet create \
  --name myACISubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet   \
  --address-prefix 10.0.2.0/24

Use the az network public-ip create command to create a static public IP resource. In a later step, this address is configured as the front end of the application gateway.

az network public-ip create \
  --resource-group myResourceGroup \
  --name myAGPublicIPAddress \
  --allocation-method Static \
  --sku Standard

Create container group

Run the following az container create to create a container group in the virtual network you configured in the previous step.

The group is deployed in the myACISubnet subnet and contains a single instance named appcontainer that pulls the aci-helloworld image. As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page.

az container create \
  --name appcontainer \
  --resource-group myResourceGroup \
  --image mcr.microsoft.com/azuredocs/aci-helloworld \
  --vnet myVNet \
  --subnet myACISubnet

When successfully deployed, the container group is assigned a private IP address in the virtual network. For example, run the following az container show command to retrieve the group's IP address:

az container show \
  --name appcontainer --resource-group myResourceGroup \
  --query ipAddress.ip --output tsv

Output is similar to: 10.0.2.4.

For use in a later step, save the IP address in an environment variable:

ACI_IP=$(az container show \
  --name appcontainer \
  --resource-group myResourceGroup \
  --query ipAddress.ip --output tsv)

Important

If the container group is stopped, started, or restarted, the container group's private IP is subject to change. If this happens, you will need to update the application gateway configuration.

Create application gateway

Create an application gateway in the virtual network, following the steps in the application gateway quickstart. The following az network application-gateway create command creates a gateway with a public frontend IP address and a route to the backend container group. See the Application Gateway documentation for details about the gateway settings.

az network application-gateway create \
  --name myAppGateway \
  --location eastus \
  --resource-group myResourceGroup \
  --capacity 2 \
  --sku Standard_v2 \
  --http-settings-protocol http \
  --public-ip-address myAGPublicIPAddress \
  --vnet-name myVNet \
  --subnet myAGSubnet \
  --servers "$ACI_IP" \ 
  --priority 100

It can take up to 15 minutes for Azure to create the application gateway.

Test public IP address

Now you can test access to the web app running in the container group behind the application gateway.

Run the az network public-ip show command to retrieve the frontend public IP address of the gateway:

az network public-ip show \
--resource-group myresourcegroup \
--name myAGPublicIPAddress \
--query [ipAddress] \
--output tsv

Output is a public IP address, similar to: 52.142.18.133.

To view the running web app when successfully configured, navigate to the gateway's public IP address in your browser. Successful access is similar to:

Browser screenshot showing application running in an Azure container instance

Next steps

  • See a quickstart template to create a container group with a WordPress container instance as a backend server behind an application gateway.
  • You can also configure an application gateway with a certificate for SSL termination. See the overview and the tutorial.
  • Depending on your scenario, consider using other Azure load-balancing solutions with Azure Container Instances. For example, use Azure Traffic Manager to distribute traffic across multiple container instances and across multiple regions. See this blog post.