Add the ability for customer provided subnets to be included in the deployment script resource

[peterpogorski]

For customers that want to ensure all traffic remains within their virtual network, such as an AKS cluster which blocks all inbound traffic from the internet they should be able to specify a subnet in which the container instance is deployed. This is a feature that is already supported by ACI, and just needs to be added as input property in addition to the container name. Deploy container group into a VNET

[brwilkinson]

This is certainly possible... details below

Below is an exported template that includes the two properties to make this happen.
Also the template that it was deployed from.

Containergroups

• SubnetID's aray
• IpAddress type Private

inputs for container groups
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/tenants/AOA/ACU1.T5.parameters.json#L1272

e.g.

        "ACIInfo": [
          {
            "Name": "helloworld",
            "registerDNS": 1,
            "isPublic": 0,
            "subnetName": "snBE02",
            "scaleCount": 1,
            "InstanceCount": 1,
            "memoryInGB": 1,
            "cpu": 1,
            "image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",
            "ports": [
              80
            ],
            "_command": [],
            "_environmentVariables": [],
            "_volumeMounts": []
          }
]

ACI Template
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/ACI-ACI.bicep#L107

VNET

• subnet delegation

input for subnet
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/tenants/AOA/ACU1.T5.parameters.json#L363
Vnet template: including delegations lookup.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VNET.bicep#L87

@description('Generated from /subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ContainerInstance/containerGroups/ACU1-BRW-AOA-T5-aci-helloworld-0')
resource ACUBRWAOATacihelloworld 'Microsoft.ContainerInstance/containerGroups@2021-09-01' = {
  name: 'ACU1-BRW-AOA-T5-aci-helloworld-0'
  location: 'centralus'
  properties: {
    sku: 'Standard'
    containers: [
      {
        name: 'helloworld-0-0'
        properties: {
          image: 'mcr.microsoft.com/azuredocs/aci-helloworld:latest'
          ports: [
            {
              protocol: 'TCP'
              port: 80
            }
          ]
          environmentVariables: []
          resources: {
            requests: {
              memoryInGB: '1.0'
              cpu: '1.0'
            }
          }
        }
      }
    ]
    initContainers: []
    restartPolicy: 'Always'
    ipAddress: {
      ports: [
        {
          protocol: 'TCP'
          port: 80
        }
      ]
      ip: '10.10.134.70'  // for private
      type: 'Private'  // for private
      dnsNameLabelReusePolicy: 'Unsecure'
    }
    osType: 'Linux'
    diagnostics: {
      logAnalytics: {
        workspaceId: '4774620e-6271-45f2-a291-fd55ad390716'
        logType: 'ContainerInsights'
        metadata: {}
      }
    }
    subnetIds: [  // for private
      {
        id: '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.Network/virtualNetworks/ACU1-BRW-AOA-T5-vn/subnets/snBE02'
      }
    ]
  }
  identity: {
    userAssignedIdentities: {
      '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiKeyVaultSecretsGet': {}
      '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiStorageAccountOperatorGlobal': {}
      '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiStorageAccountFileContributor': {}
    }
    type: 'SystemAssigned, UserAssigned'
  }
}

[brwilkinson]

okay I walked away to get a coffee, then I realized that you said "deployment script resource".

So I assume that you were talking about 'Microsoft.Resources/deploymentScripts@2020-10-01' not ACI in general.

[brwilkinson]

adding @jorgecotillo for comment on this one.

Question on: "executing a DeploymentScript on and ACI instance/containerGroup linked to an internal subnet."

[alex-frankel]

It is not a feature that we support today. It is on our backlog, but there is no ETA we can provide.

[brwilkinson]

Will mark this as answered.

[gogbg]

Hi folks, this is a critical functionality for us too. I'm aware that it's a arm template limitation but I can see that bicep is pushing the arm template limitations.

@alex-frankel can you point me to the story that's already in the backlog so I can keep track on it?

[alex-frankel]

This is the internal work item:
https://msazure.visualstudio.com/One/_workitems/edit/7379274