Azure VM and Azure Container Instance (Linux) sever is listening to port

Question

Hi @all ,

I've a Windows VM and an Azure Container Instance (linux) in the same VNET.
The linux image contains a running server, which is listening to port 80, 443 and 8080 and has a connection to an azure sql db. The DBconnection to Azure SQL runs perfectly.

Now I want to connect my vm with my client.exe to the private ip:8080 of the linux image, but I can't establish a connection.

I have opened all ports. My Command "netstat -a" on my linux image recognize for a short moment my client, but blocks it - i guess.

How can I establish a connection from my client to my server, which runs on linux aci image?

Best regards

Answer 1

@M B Apologies for the delay in response and all the inconvenience caused because of the issue.

• NSG if at the Subnet level (for both subnets, the one delegated to Microsoft.ContainerInstance and the one in VM's subnet) should allow traffic inside the Virtual Network (all ports). So should NSG at VM NIC (if any).
• If the above configurations are correct, then ensure that effective routes under route tables (if any) are correctly configured.
• Is the ACI application properly listening on port 8080? Please connect to the container (Using UI or CLI with az container exec -g MyResourceGroup --name myContainerGroup --container-name myContainerName --exec-command "/bin/bash") and do a curl to 127.0.0.1:8080. This will allow us to understand if connections from inside the container are successful to the endpoint.

If that is working fine. Is there any issue connecting to the other ports of the ACI like 443, 80 from the Windows client machine?

If no, then was the container created, exposing the port 8080? You mentioned that the image listens to 80, 443 and 8080 but is the container created out of the image configured to listen on 8080?

Also you mentioned "Command "netstat -a" on my linux image recognize for a short moment my client". What is the TTL of a client.exe session? What error message do you get on the client? Is it a timeout or a different error?

Can you please share logs from the ACI in that case.

Hope it helps!!!

Looking forward to your response!!!

Answer 2

Hi prmanhas,

thank you so much for your answer. I answer your arguments between your lines.

My server is listening:

NSG if at the Subnet level (for both subnets, the one delegated to Microsoft.ContainerInstance and the one in VM's subnet) should allow traffic inside the Virtual Network (all ports). So should NSG at VM NIC (if any).

My NSG:

My VNET:
If the above configurations are correct, then ensure that effective routes under route tables (if any) are correctly configured.

Is the ACI application properly listening on port 8080? Please connect to the container (Using UI or CLI with az container exec -g MyResourceGroup --name myContainerGroup --container-name myContainerName --exec-command "/bin/bash") and do a curl to 127.0.0.1:8080. This will allow us to understand if connections from inside the container are successful to the endpoint.

my curl result: Status Code: 401; Unauthorized

And the moment curl doesn't work, but ping 127.0.0.1 works.

my routing table is:

I use wireshark to test the connection:

How would the route table have to look like if i want to roue the traffic from my VM IP to 10.1.1.4:8080 to my local Linux image, which is listening on 127.0.0.1:8080???
I guess, my docker doesn't accept any in and output. It blocks everything. How can I open my linux image?

I appreciate your help 2: /api/attachments/100323-nsg.png?platform=QnA

Answer 3

@M B Custom Route tables are not a requirement. In general a customer would set up a route table only if he has to set up a UDR from source to destination which must always be followed. Let's say if the customer wants to route traffic via a Firewall with egress rules or to a DNS forwarder etc. By default route table in a subnet is set to none, which means that the traffic will adhere to system routes set by Azure under the hood. More info here

However, I can see a clear HTTP 401 Unauthorized response from the server in the wireshark trace

So the server understands the request but the client cannot be validated to serve the application. HTTP status code overview - Internet Information Services | Microsoft Learn

Assuming that the NSG you shared is on the ACI subnet and there are no superior rules negating the rule Port_8080 (if not please implement the same on the ACI subnet NSG, not VM subnet NSG). If this is correctly set and you are still receiving the error, then the application is not authorized to serve to this client.

The client is not authorized to be served with the application and the setting is in the application. So we need to check wireshark traces (preferably from both server and client) and have a look at auth mechanisms in the server application so for deeper troubleshooting I would recommend you to contact Support if you have a Support plan in place, if not let me know I can help you to enable One Time Free Technical Support.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.