Azure Container Instances doesn't retrieve client public ip

Moisés Álvarez 1 Reputation point
2021-09-27T07:11:14.323+00:00

I have set up an Azure Container Instance with software that uses Single-Sign-On to access its services. It uses client public IP to prevent session hijack attacks and also to handle session tickets.

This feature is not working because the container instance receives all incoming client IPs masqueraded behind private IPs (10.x.x.x.). It also gets worst due to an internal load balancing (not set up from my side) that makes client IPs change from request to request, invalidating session tickets.

We tried to retrieve public client IP using the X-Forwarded-For header to overcome the probable proxy or internal load balancer; it didn't work.

So, there is a setup parameter or network configuration that makes the container instance retrieve client public IPs?

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
715 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SRIJIT-BOSE-MSFT 4,336 Reputation points Microsoft Employee
    2021-09-27T10:46:42.753+00:00

    @Moisés Álvarez , thank you for your question. Source IP preservation depends on the service exposing the container group on the underlying platform. Also as you mentioned, it does depend on the configuration and capabilities of the load balancer which in case of an Azure container group deployed with a virtual network is abstracted from the customer, at the time of writing.

    Having said that, you can configure a single public IP address for outbound and inbound traffic to a container group.

    Setting up a container group with an external-facing IP address allows external clients to use the IP address to access a container in the group.

    The aforementioned article provides steps to configure a container group in a virtual network integrated with Azure Firewall. By setting up a user-defined route to the container group and firewall rules, you can route and identify traffic to and from the container group. Container group ingress and egress use the public IP address of the firewall. A single egress IP address can be used by multiple container groups deployed in the virtual network's subnet delegated to Azure Container Instances.

    Thus, we can bypass policies on the underlying orchestration platform like externalTrafficPolicy which might SNAT inbound traffic with IP addresses internal to the orchestration platform's infrastructure. Azure Firewall will only perform a DNAT on inbound traffic, thereby preserving source Public IP address.

    ----
    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.