Add the ability for customer provided subnets to be included in the deployment script resource #5793
-
For customers that want to ensure all traffic remains within their virtual network, such as an AKS cluster which blocks all inbound traffic from the internet they should be able to specify a subnet in which the container instance is deployed. This is a feature that is already supported by ACI, and just needs to be added as input property in addition to the container name. Deploy container group into a VNET |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
This is certainly possible... details below Below is an exported template that includes the two properties to make this happen. Containergroups
inputs for container groups e.g. "ACIInfo": [
{
"Name": "helloworld",
"registerDNS": 1,
"isPublic": 0,
"subnetName": "snBE02",
"scaleCount": 1,
"InstanceCount": 1,
"memoryInGB": 1,
"cpu": 1,
"image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",
"ports": [
80
],
"_command": [],
"_environmentVariables": [],
"_volumeMounts": []
}
] ACI Template VNET
input for subnet @description('Generated from /subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ContainerInstance/containerGroups/ACU1-BRW-AOA-T5-aci-helloworld-0')
resource ACUBRWAOATacihelloworld 'Microsoft.ContainerInstance/containerGroups@2021-09-01' = {
name: 'ACU1-BRW-AOA-T5-aci-helloworld-0'
location: 'centralus'
properties: {
sku: 'Standard'
containers: [
{
name: 'helloworld-0-0'
properties: {
image: 'mcr.microsoft.com/azuredocs/aci-helloworld:latest'
ports: [
{
protocol: 'TCP'
port: 80
}
]
environmentVariables: []
resources: {
requests: {
memoryInGB: '1.0'
cpu: '1.0'
}
}
}
}
]
initContainers: []
restartPolicy: 'Always'
ipAddress: {
ports: [
{
protocol: 'TCP'
port: 80
}
]
ip: '10.10.134.70' // for private
type: 'Private' // for private
dnsNameLabelReusePolicy: 'Unsecure'
}
osType: 'Linux'
diagnostics: {
logAnalytics: {
workspaceId: '4774620e-6271-45f2-a291-fd55ad390716'
logType: 'ContainerInsights'
metadata: {}
}
}
subnetIds: [ // for private
{
id: '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.Network/virtualNetworks/ACU1-BRW-AOA-T5-vn/subnets/snBE02'
}
]
}
identity: {
userAssignedIdentities: {
'/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiKeyVaultSecretsGet': {}
'/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiStorageAccountOperatorGlobal': {}
'/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourceGroups/ACU1-BRW-AOA-RG-T5/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ACU1-BRW-AOA-T5-uaiStorageAccountFileContributor': {}
}
type: 'SystemAssigned, UserAssigned'
}
} |
Beta Was this translation helpful? Give feedback.
-
Hi folks, this is a critical functionality for us too. I'm aware that it's a arm template limitation but I can see that bicep is pushing the arm template limitations. @alex-frankel can you point me to the story that's already in the backlog so I can keep track on it? |
Beta Was this translation helpful? Give feedback.
This is certainly possible... details below
Below is an exported template that includes the two properties to make this happen.
Also the template that it was deployed from.
Containergroups
inputs for container groups
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/tenants/AOA/ACU1.T5.parameters.json#L1272
e.g.