-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Container Apps does NOT work with VNet integration and Azure Firewall as specified in the doc #227
Comments
@doanduyhai, Did you allow both inbound and outbound communication within the control plane subnet? |
Hello @JennyLawrance As said in the steps to reproduce, there is no NSG used in my settings So the subnet-to-subnet communication is all open within the VNet. Consequently, the control plane subnet (named |
@doanduyhai I will investigate it |
Thanks @chinadragon0515 Do not hesitate to ping me if you need any further detail to reproduce the issue |
@doanduyhai I have two questions,
In the meanwhile I try to recreate that firewall shares the same vnet as container apps. |
|
@doanduyhai I have found the issue, we are discussing the fix, and I will update here when the fix is deployed. thanks. |
@chinadragon0515 Great news ! Can you tell more about the issue ? Network integration ? Missing firewall rules ? |
This also affecting us for last few days...glad to have found this thread. As mentioned, can we have some knowledge of the issue and potential ETA for resolution please? |
I am attempting to join container apps to an existing vnet, no firewall or nsgs at all at this point. Would this issue be the cause of my "Managed environment failed to initialize" error? |
We are actively working on the issue, but we do not have a target date to share. I will update here when we have a date to share. This issue only occurred when UDR is used, if UDR is not used, there is no issue. |
We seem to have similar issue and we have no UDRs involved on the target VNET/Subnets in question. |
@chinadragon0515 Is the issue related to asymetric routing or something else ? |
@chinadragon0515 I am seeing the firewall blocking my DAPR component's requests to the providers when a UDR attempts to route them there.
This gets picked up if I try to add an Azure Service Bus PubSub component to DAPR. Service Bus is exposed on the VNet with a Private Endpoint and a related Private DNS Zone for it attached to both the hub and spoke vnets. I have application rules in my firewall that should allow traffic from the control plane subnet to the private endpoint FQDN, but seems the firewall is denying it before it gets to the custom rules. If I turn off the UDR this routes correctly to the private endpoint, verified by the fact that all networking is turned off on the service bus and it succeeds without the UDR. Is this issue related to what you are working on? |
@oramoss if no UDR used, then it is not related to this, please open a ticket and we can investigate what could be wrong. |
@doanduyhai it is not related to asymetric routing, when UDR is used with 0.0.0.0, it will change the node outbound IP addresses, and then cause the issue. For now, using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. We are working with partner team to resolve this, I will update here when we have target date to resolve. |
The error you see is not same as the common UDR error, can you open a ticket with the detail configuration information, so I can investigate more to see whether it is the same issue or different issue. For now, using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. |
Also see #255 for similar issue. |
@chinadragon0515 can you share any estimate when this could be solved? Weeks, months? |
@jagiraud The issue is been actively worked on, it should be resolved in next couple months, I will share here when we have more accurate date. Sorry for inconvenience and thanks for your patience. |
@chinadragon0515 - we are validating Container Apps for use in a Hub and Spoke architecture (Spoke Subscription peered to Hub Subscription with Firewall) using Enterprise Scale patterns. Once this UDR issue is addressed is it expected that we will be able to use Container Apps to serve container hosted services across the International CORP network (internal private azure network - no internet egress/ingress) from Container Apps Service? We want to make sure there is no dependency on the solution needing to go internet bound and public endpoints. Asking because we cannot validate this because of the UDR issue. Thank you! |
Earlier we used to create UDR with our own managed CIDRs and it was working just fine. Now I see that a managed route table is getting created with |
This is fixed now ! |
@chinadragon0515: Any more precise timeline you can share? Facing this issue. Thank you |
We are still working on it, no target to share now. Will update when we have a ETA. |
I'm puzzled how you can GA a service with vnet integration and not support UDRs. every time you GA Vnet integrations for Azure services ( azure firewall, app services, functions and what not ) , force tunneling is not supported. I have a hard time, understanding use cases, for this where you don't need access to on-premises data resources in a secure manner. Anyway, looking forward to test this service, when you have a ETA. |
@mthoger come check out the networking channel on discord. Another user was able to help me with a couple service tag routes to get my UDR working. |
Any update on this? |
Is there an update on this, something to share on the possible ETA for the definitive solution? |
@TheIronRock95 the ACA roadmap is now public - ETA looks to be end of March 2023. |
We have new network architecture implemented in ACA and announcement public preview today, For more detail, you can refer to this announcement. |
Any potential ETA on when this may become GA? |
Summer 2023 |
We used this UDR configuration very actively on all (>100) our Container App Environments. And this environments are now "Consumption only" - which means UDR is not supported there, although it was supported in the past. Is it guaranteed that this original container app setup, described like in this issue, keeps working? I think the UDR feature was just dropped from the orginal release, as all "old" cappenvs are now automatically "Consumption Only". |
@anrub. UDR with target 0.0.0.0/0 was never supported in |
UDR is supported with worklaod profile envs, refer to https://learn.microsoft.com/en-us/azure/container-apps/workload-profiles-overview |
This issue is a: (mark with an x)
Issue description
Region: westeurope
Creating an Azure Container Apps environment using an internal VNet and an Azure firewall does not work even if I followed all the documentation here:
Steps to reproduct
10.1.0.0/16
CIDR address spaceK8SControlPlaneSubnet01
in the VNet with a10.1.2.0/23
address spaceK8SClusterSubnet01
in the VNet with a10.1.4.0/27
address space0.0.0.0/0
--><azure_firewall_private_ip_address>
K8SControlPlaneSubnet01
&K8SClusterSubnet01
Deployment information:
Expected behavior
The Container Apps Environment should be created
Actual behavior
The deployment fails with a cryptic error:
Screenshots
Additional context
The deployment always fails at the step of creation of the
kubernetes
load balancer. Sometimes it also fails at creatingkubenertes-internal
load balancerI suspect some asymetric routing involved because the load balancers created in the MC_xxx resource groups have public IPs and they are forced tunnelled through Azure Firewall
The text was updated successfully, but these errors were encountered: