How to set up a simple cheap container that is publicly accessible (non-HTTP)

Question

Hi,

Although I can appreciate the groans when seeing the title, I can confirm I have been looking at this for quite a while now, and if I have missed something simple, apologies!

I have set up a container instance previously, behind a WAF/Application Gateway, and accessed the container via the public IP of the gateway - this I have working just fine. As a basic user, however - the app gateway can be quite expensive overall.

If I set a public IP directly on a container instance, I cannot seem to figure out how to restrict traffic to it. I cannot seem to add an NSG, and I am unable to do anything from inside the container (such as iptables) as the access is managed at the kernel level, and trying to use iptables would be rejected.

I have looked at NAT gateway, but it looks like that is for outbound traffic only.

Ultimately - if I want to access a container using a public IP, is it possible to restrict access without using an application gateway. Another constraint is the access is not web traffic - it is SSH. Also looked at Bastion hosts, but again this can get quite expensive over time.

Hope this makes sense - I usually provide references of everything I have looked at, however it is a looooong list.

Any thoughts appreciated,

Cheers,

Answer 1

I think the simple answer that will work for you is just using a Public Load Balancer in front of a Private Azure Container Instance.

I've just tried it, and it works well for your scenario.

These are the resource you will need;

The Public IP address is used by the load balancer, which is configured with a backend pool that is your ACI private IP address. The NSG is applied to your ACI subnet, and restricts inbound traffic to specific IP & ports.

I hope this is useful to you, please upvote and mark as answered if so 🤓