Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Customer VNet Integration #3

Closed
SatyKrish opened this issue Nov 3, 2021 · 18 comments
Closed

Customer VNet Integration #3

SatyKrish opened this issue Nov 3, 2021 · 18 comments

Comments

@SatyKrish
Copy link

We are looking for Docker replacement for hosting container workloads without the overhead of managing AKS cluster. Any plans to support integration with Customer VNet for deploying isolated workloads as Container Apps? All our services deployed on Azure are strictly accessible only from within Customer network (no Public IP).

@vturecek
Copy link

vturecek commented Nov 3, 2021

Yes, we will support bringing your own VNET in the very near future.

Currently, you can run Container Apps with HTTPS endpoints that are not accessible publicly, without bringing your own VNET, by setting the configuration.ingress.external to false (see: https://docs.microsoft.com/en-us/azure/container-apps/ingress?tabs=bash#configuration). But you won't be able to deploy other Azure resource into that VNET this way, so this is mainly used for microservices within a Container App Environment that need to communicate directly with each other.

@Phiph
Copy link

Phiph commented Nov 4, 2021

@vturecek Yes please, can't wait for this integration! Very interested in this, as the first thing I wanted to try is connecting to my Redis Cluster via a Private Link.

@mackie1001
Copy link

@vturecek Yes please, can't wait for this integration! Very interested in this, as the first thing I wanted to try is connecting to my Redis Cluster via a Private Link.

Ditto Cosmos DB with a dedicated gateway amongst other things.

@gpltaylor
Copy link

Can I please up-vote. We have many bare-metal in-house services that we expose over VNET/s.

I would like the ability to add multiple VNETs to the Container App Environment, where all containers with the ENV wound be granted access.

@bihe
Copy link

bihe commented Nov 23, 2021

VNET Integration is needed for us to consider ACA for prod-usage. Our services need to access on prem resources via Express-Route. Very much looking forward to have a VNET possibility!

@onionhammer
Copy link

In light of ChaosDB, Azure should really be putting in the effort to allow their 'consumption' 'serverless' compute platforms talk to DBs behind firewalls.

@dewolfs
Copy link

dewolfs commented Dec 2, 2021

Upvoting this feature request also. We would like to ingest ACA into our existing VNET.

@KaiWalter
Copy link

As we already spoke in our private preview onboarding call: My group cannot shift any workloads from Service Fabric or AKS without bring-your-own-VNET.

@takekazuomi
Copy link

Congratulations, it seems to have been released. I will try using it.
https://docs.microsoft.com/en-us/azure/container-apps/vnet-custom?tabs=bash&pivots=azure-cli

@krispenner
Copy link

Documentation doesn’t mention private endpoints or NAT gateways. Curious if private endpoints to Cosmos DB, blob storage and key vaults will work, and can a VNet NAT gateway be applied to the subnets?

@KaiWalter
Copy link

KaiWalter commented Feb 2, 2022

I removed and installed the extension again - containerapp-0.2.2-py2.py3-none-any.whl as there was no 0.2.3 and 0.3.0 - but could not se the Azure CLI parameter --app-subnet-resource-id mentioned here https://docs.microsoft.com/en-us/azure/container-apps/vnet-custom?tabs=bash&pivots=azure-cli#create-an-environment

...but there is such a parameter in Pulumi.AzureNative 1.55.0-alpha.1643762497

        var kubeEnv = new KubeEnvironment("env", new KubeEnvironmentArgs
        {
            ContainerAppsConfiguration = new ContainerAppsConfigurationArgs
            {
                AppSubnetResourceId
            },

I will give it a spin

@KaiWalter
Copy link

Documentation doesn’t mention private endpoints or NAT gateways. Curious if private endpoints to Cosmos DB, blob storage and key vaults will work, and can a VNet NAT gateway be applied to the subnets?

Private endpoints is what I want to test for our scenarios.

@tomkerkhove
Copy link
Member

@jbpaux
Copy link

jbpaux commented Feb 4, 2022

Do you have more info/justification for such a large required vnet ? /21 is quite huge. Do you have the assumptions that made this requirement somewhere ? (I guess it's based on nb of container apps deployed, nb of revisions, scale-out settings of container apps but 2096 IP seem huge at first sight)
Thanks :)

@dariagrigoriu dariagrigoriu unpinned this issue Feb 11, 2022
@kendallroden
Copy link
Contributor

@jbpaux it's a fair question. Your guess was correct in that we ask for the large subnet to support auto-scale. However, we are looking into ways we can optimize the amount of IP space required!

@audunsolemdal
Copy link

I might be overlooking some details here, but I've set up a self-hosted Azure Pipelines agent running on Azure Container Apps. I tried setting firewall rules to the SCM endpoint of my Azure Functions as to only accept traffic from the subnet where my container apps are running, but it did not work. It seems that the outbound traffic is all routed through a gateway with a PIP, is this expected?

@krispenner
Copy link

krispenner commented Feb 23, 2022

@audunsolemdal I'd imagine you would need your Azure Function to be connected to the VNet via a private endpoint and use Azure Private DNS to direct traffic to it. But I am not that familiar with SCM access from a VNet.

https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-vnet#lock-down-your-function-app

@kendallroden
Copy link
Contributor

This feature is available. Closing this issue. If you have any future questions around VNet feel free to create a specific issue. Thanks

@kendallroden kendallroden removed the roadmap This feature is on the roadmap label Apr 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests