VNet Injection in Chaos Studio

VNet is the fundamental building block for your private network in Azure. VNet enables many Azure resources to securely communicate with each other, the internet, and on-premises networks. VNet is like a traditional network you would operate in your own data center. However, VNet also has the benefits of Azure infrastructure, scale, availability, and isolation.

How VNet Injection works in Chaos Studio

VNet injection allows Chaos resource provider to inject containerized workloads into your VNet. This means that resources without public endpoints can be accessed via a private IP address on the VNet. Below are the steps you can follow for vnet injection:

  1. Register the Microsoft.ContainerInstance resource provider with your subscription (if applicable).

    az provider register --namespace 'Microsoft.ContainerInstance' --wait
    

    Verify the registration by running the following command:

    az provider show --namespace 'Microsoft.ContainerInstance' | grep registrationState
    

    You should see output similar to the following:

    "registrationState": "Registered",
    
  2. Re-register the Microsoft.Chaos resource provider with your subscription.

    az provider register --namespace 'Microsoft.Chaos' --wait
    

    Verify the registration by running the following command:

    az provider show --namespace 'Microsoft.Chaos' | grep registrationState
    

    You should see output similar to the following:

    "registrationState": "Registered",
    
  3. Create a subnet named ChaosStudioSubnet in the VNet you want to inject into. And delegate the subnet to Microsoft.ContainerInstance/containerGroups service.

  4. Set the properties.subnetId property when you create or update the Target resource. The value should be the resource ID of the subnet created in step 3.

    Replace $SUBSCRIPTION_ID with your Azure subscription ID, $RESOURCE_GROUP and $AKS_CLUSTER with the resource group name and your AKS cluster resource name. Also, replace $AKS_INFRA_RESOURCE_GROUP and $AKS_VNET with your AKS's infrastructure resource group name and VNet name.

    URL=https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ContainerService/managedClusters/$AKS_CLUSTER/providers/Microsoft.Chaos/targets/microsoft-azurekubernetesservicechaosmesh?api-version=2022-10-01-preview
    SUBNET_ID=/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$AKS_INFRA_RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/$AKS_VNET/subnets/ChaosStudioSubnet
    BODY="{ \"properties\": { \"subnetId\": \"$SUBNET_ID\" } }"
    az rest --method put --url $URL --body "$BODY"
    
  5. Start the experiment.

Limitations

  • At present the VNet injection will only be possible in subscriptions/regions where Azure Container Instances and Azure Relay are available. They are deployed to target regions.
  • When you create a Target resource that you would like to enable with VNet injection, you will need Microsoft.Network/virtualNetworks/subnets/write access to the virtual network. For example, if the AKS cluster is deployed to VNet_A, then you must have permissions to create subnets in VNet_A in order to enable VNet injection for the AKS cluster. You will have to specify a subnet (in VNet_A) that the container will be deployed to.

Request Body when created Target resource with VNet injection enabled:

Target resource with VNet Injection

Next steps

Now that you understand how VNet Injection can be achieved for Chaos Studio, you're ready to: