Connect non VNET Azure Container App to Key Vault with access from specific virtual networks and IP addresses

Gabor2, Victor-Vasile2 0 Reputation points
2024-04-09T13:42:08.46+00:00

Hello,

We have in our setup:

  • a non VNET Container app environment with multiple container apps.
  • one Key Vault with public access from specific virtual networks and IP addresses

When we start the containers we get exception that we cannot connect from the container app IP to the Vault. The IP changes and we cannot add it to vault after container starts. Static IP cannot be used either as the container app IP is not the static IP.

Is there a way to add the range to vault prior...without adding VNET to Container App Environment?

Thanks,

Victor

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,118 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
269 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dan Rios 1,265 Reputation points MVP
    2024-04-09T14:41:38.4266667+00:00

    Hi,

    The minimum viable solution will be to go to your Container App overview page and copy the outbound IP addresses listed under the networking heading. Add these to the KV firewall. However, these may change so it's not a very viable production solution.

    If the Container Apps is a consumption SKU, then you're going to be limited here. By making your container app internal and putting egress control in place (front door, app gateway, traffic manager etc) this is a recommended approach to securing your apps as part of well architected framework.

    This way you will not only secure the egress of your app with an edge paas solution with a WAF, but also as the ACA will be 'internal' now and you can scope to that network in the Keyvault firewall to allow access.

    You can see more here on architectural reference if interested: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/serverless/microservices-with-container-apps

    If this is a workload profile (consumption + dedicated) then you can vnet integrate the apps, and put a NAT gateway on the subnet to keep a static IP for your Key Vault firewall.

    See: https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#ports-and-ip-addresses

    User's image

    Container Apps aren't unfortunately listed on the trusted services on Key Vault 'allow trusted services option' either which is a shame: https://learn.microsoft.com/en-gb/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services

    0 comments