@Moisés Álvarez , thank you for your question. Source IP preservation depends on the service exposing the container group on the underlying platform. Also as you mentioned, it does depend on the configuration and capabilities of the load balancer which in case of an Azure container group deployed with a virtual network is abstracted from the customer, at the time of writing.
Having said that, you can configure a single public IP address for outbound and inbound traffic to a container group.
Setting up a container group with an external-facing IP address allows external clients to use the IP address to access a container in the group.
The aforementioned article provides steps to configure a container group in a virtual network integrated with Azure Firewall. By setting up a user-defined route to the container group and firewall rules, you can route and identify traffic to and from the container group. Container group ingress and egress use the public IP address of the firewall. A single egress IP address can be used by multiple container groups deployed in the virtual network's subnet delegated to Azure Container Instances.
Thus, we can bypass policies on the underlying orchestration platform like externalTrafficPolicy
which might SNAT inbound traffic with IP addresses internal to the orchestration platform's infrastructure. Azure Firewall will only perform a DNAT on inbound traffic, thereby preserving source Public IP address.
----
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.