-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private link support for Workload Profiles #867
Comments
Any new information on this? It is needed for FrontDoor support with Consumption + Dedicated and internal vNet only |
Any estimates on when this will become available? |
Looking for a status update on this as well. I'm aiming to run Azure Container Apps behind an Azure Firewall with UDR's, which leaves me no choice but to use Workload Profiles (serverless only would be fine, but it doesn't support UDR's according to this doc). Workload profiles luckily also supports a serverless variation, but now I'm struggling on how to set up some form of inbound internet connectivity, ideally using Azure Frontdoor. The one guide from Microsoft which details on how to set this up assumes the exposed loadbalancer is called |
Can we please get a update on this? |
Are there any new information on the progress to get PLS support to CA with internal LB? |
Can we get an update on this? This seems like basic functionality that's missing. |
I am wanting to migrate from consumption only to dedicated since I need:
I don't think there are plans for a migration from consumption only to dedicated? I am using front door for ingress to my consumption only plan, I cannot migrate due to lack of support for private links i.e. connecting front door where apis are on the same domain |
My customer has same problem. Any estimates ? |
+1 waiting for the implementation. |
I'd like to use workload profiles to have NAT gateway support, but then I can't have the environments private which is a big downside. |
Any update on when the fix will be ready for this? |
Is there an update or ETA? |
Also looking for an update |
Hi all can we get an eta for this? |
Hi folks, we are targeting end of Q2 CY2024 for this feature. |
It's mid May, any update on this? |
We are ready for private preview, if you are interested in private preview, can you help to fill this form https://forms.office.com/r/fuhKa4UMy6 |
Would this be available for private preview in China also? |
Cargill Development Group:
fsdi-dev-unity <https://portal.azure.com/>:
a3cfee58-9860-4304-8f70-04e60a850479
fsdi-shared-services <https://portal.azure.com/>:
0c5f9978-efb7-42a1-a3d7-f2240c797607
fsdi-unity-prod <https://portal.azure.com/>:
50966e37-8361-4b25-a3d6-12cbed1fb293
fsdi-unity-stage-uat <https://portal.azure.com/>:
f9c39143-872d-4e2a-9a10-cd13d1612e3c
fsdi-unity-test <https://portal.azure.com/>:
29d150d3-e2c1-4864-8f1a-bc68d4685a54
https://ardeshir.io
***@***.***
https://github.com/ardeshir
***@***.***
https://www.linkedin.com/in/ardeshir
https://sepahsalar.substack.com/
…On Fri, May 31, 2024 at 8:27 AM Vincent He ***@***.***> wrote:
We are ready for private preview, if you are interested in private
preview, please send you subscription id to acasupport(at)microsoft(dot)com
and we can whitelist your sub for private preview.
Public preview still need some time.
—
Reply to this email directly, view it on GitHub
<#867 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAQCDR6TYVFENUUWAIB6C3ZFB3DBAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSGE3DKMJZG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@vandanchev we do not open Azure China for private preview now, thanks |
I have sent a E-Mail and used the form, we are ready for Private Preview testing of this functionality |
I've tested out the functionality, but either I am missing something or this does not address the issue at hand:
The Container Apps need to be added as origins to Front Door via a private link service, which is still not doable due to the original issue of Workload Profiles Container App Environment's managed Load Balancers using the IP based backend pool. |
Is there any documentation? I cant see how to add a private endpoint on my workload profile ACA
…________________________________
From: NemSimpraga ***@***.***>
Sent: 03 June 2024 12:09
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
I've tested out the functionality, but either I am missing something or this does not address the issue at hand:
* The added functionality enables creating a private endpoint for the Container App Environment in Workload Profiles mode
* As far as I can see, this does not enable the private link service support that's needed to route traffic from Front Door to the Container Apps in the Container App environment
The Container Apps need to be added as origins to Front Door via a private link service, which is still not doable due to the original issue of Workload Profiles Container App Environment's managed Load Balancers using the IP based backend pool.
—
Reply to this email directly, view it on GitHub<#867 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2AWLZWGAY33P4OUGGI2MTTZFRFH5AVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBUHEZDANJTGY>.
You are receiving this because you commented.Message ID: ***@***.***>
Jack Caplin
Chief IT Architect
[https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Phone: 01273 811011
Mobile: 07534563400
Web: www.paxton-access.com<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Email: ***@***.******@***.***>
Paxton House, Brighton, BN1 9HU
Find us on the map<https://goo.gl/maps/9vNLzgN1qR1zNg9A9>
[https://public.paxton-access.co.uk/public/emailfooterimages/image002.png] <https://www.facebook.com/PaxtonAccessLtd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image003.png] <https://www.linkedin.com/company/paxton-access-ltd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image004.png] <https://twitter.com/paxtonaccess> [https://public.paxton-access.co.uk/public/emailfooterimages/image005.png] ***@***.***/>
[https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]<https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour>
|
You need to apply for the private preview, and you'll be able to create a private endpoint for your Container App Environment. The problem is that it doesn't really seem to solve anything, as you just get a private endpoint to your Environment in a subnet of your choosing. The same can be accomplished by simply creating an Environment with That, or I am just missing something :) |
My subscriptions have been whitelisted for the preview.
What is the pre-release feature called you enabled?
…________________________________
From: Nemanja Simpraga ***@***.***>
Sent: 03 June 2024 12:34
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
Is there any documentation? I cant see how to add a private endpoint on my workload profile ACA
You need to apply for the private preview, and you'll be able to create a private endpoint for your Container App Environment. The problem is that it doesn't really seem to solve anything, as you just get a private endpoint to your Environment in a subnet of your choosing. The same can be accomplished by simply creating an Environment with internalOnly mode, where you get an L4 LB with a private IP.
That, or I am just missing something :)
|
You don't need to enable anything, you're just able to create a private endpoint to your ACA Environment, as I said. That's about it. |
Ok, I have created the private endpoint for the workload profile. I have added this endpoint as an origin group in Azure Front Door. Looks good so far |
Hi! We need this Feature also whitelisted for our Subscription. Can you please Whitelist us? |
I have been playing with this functionality, and I have to say there are some very weird points to consider about the implementation around this feature. Primarily, how the public availability of the application is influenced by the creation of a private endpoint. Example:
Here's the kicker: I can still reach the Container App over the public IP of the Container App environment! This seems like a very weird setup as the application is not completely private (which we can see from the fact that it's available over its public IP), but it is also not available over the public internet when trying to resolve its actual FQDN. What I expected to get after creating a private endpoint for the Container App Environment:
What we get is a partial solution: public access is restricted only on the DNS level for the Container Apps since their FQDNs won't resolve to the public IP of the Container App Environment. This does not make sense if you ask me, hope it helps in figuring our which direction this feature needs to go. |
Doesn't this depend on how you created the Container App Environment?
Do you have a Workload Profile with ingress set to internal only?
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Nemanja Simpraga ***@***.***>
Sent: Friday, June 14, 2024 5:47:00 PM
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
I have been playing with this functionality, and I have to say there are some very weird points to consider about the implementation around this feature.
Primarily, how the public availability of the application is influenced by the creation of a private endpoint.
Example:
* Created a private endpoint in my VNet for my Container App Environment
* Connected via VNet Gateway into the same VNet where the private endpoint is
* I can see that when calling the FQDN of my Container App deployed to that Environment, it resolves to the private IP of my environment's private endpoint and I can successfully connect to my application
* When not connected to the VPN, the FQDN of my Container App resolves to a random Azure public IP
* importantly, not the actual public IP of the deployed Container App Environment!
* this means my application is not available by resolving its FQDN, if I am not connected to my VPN (and configured private DNS resolution)
Here's the kicker: I can still reach the Container App over the public IP of the Container App environment!
All I have to do is issue an HTTP request directly to the public IP (not the FQDN) of the Container App while setting the "Host" header to the FQDN of my deployed Container App, and I will be able to successfully reach the Container App.
This seems like a very weird setup as the application is not completely private (which we can see from the fact that it's available over its public IP), but it is also not available over the public internet when trying to resolve its actual FQDN.
What I expected to get after creating a private endpoint for the Container App Environment:
* a way into the Container Apps of the Environment via the private network the private endpoint is in
* by default, the Container Apps would stay publically available over their FQDN if the access was not specifically restricted to a private IP range via the Container Apps ingress IP restriction
What we get is a partial solution: public access is restricted only on the DNS level for the Container Apps since their FQDNs won't resolve to the public IP of the Container App Environment.
But, crucially, they will stay available by directly accessing the public IP with a properly set "Host" header.
This does not make sense if you ask me, hope it helps in figuring our which direction this feature needs to go.
|
Hi @NSimpragaVolur, thank you for the feedback and for the detailed writeup with repro steps. We'll investigate this to verify the behavior and whether we need to make updates to align with expectations for the feature. |
That is true, if you create a Container App Environment with My issue is primarily with ACA Envs with public IPs (i.e. The better option, if you ask me (and no one is : ]), is leaving the internet route intact even with a created private endpoint. That is, the FQDNs resolve to the actual public IP of the environment when called from the internet, but when the FQDNs resolve from a VNet, they will resolve to the private IP of the endpoint. This is similar to other private endpoint implementations. Example: the FQDN of an Azure Flex Postgres server will resolve to the private IP of a private endpoint when the DNS resolution call comes from inside a VNet, but will resolve to the public IP of the server when it comes from the internet. Then on the server itself you can configure firewall rules for the public IP, i.e. let in whatever you want from the public, while private access is handled by the private endpoint. Container Apps themselves have IP restriction rules, which might be used similarly as a Postgres Flex server firewall rule. |
"But in such Container App Environments, you mostly don't really have a need to create a private endpoint."
I do if I want to use Azure Front Door.
This was my use case for a private endpoint, as my environments must have properties.vnetConfiguration.internal set as true.
I've been using Application Gateway as interim hops.
For my case, this is all working as expected
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: NemSimpraga ***@***.***>
Sent: Saturday, June 15, 2024 1:36:22 PM
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
Doesn't this depend on how you created the Container App Environment? Do you have a Workload Profile with ingress set to internal only? Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
…
________________________________ From: Nemanja Simpraga @.> Sent: Friday, June 14, 2024 5:47:00 PM To: microsoft/azure-container-apps @.> Cc: Jack Caplin @.>; Comment @.> Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867<#867>) NOTICE! This email was sent from outside Paxton. Please do not click links or open attachments unless you recognise the sender and know the content is safe. I have been playing with this functionality, and I have to say there are some very weird points to consider about the implementation around this feature. Primarily, how the public availability of the application is influenced by the creation of a private endpoint. Example: * Created a private endpoint in my VNet for my Container App Environment * Connected via VNet Gateway into the same VNet where the private endpoint is * I can see that when calling the FQDN of my Container App deployed to that Environment, it resolves to the private IP of my environment's private endpoint and I can successfully connect to my application * When not connected to the VPN, the FQDN of my Container App resolves to a random Azure public IP * importantly, not the actual public IP of the deployed Container App Environment! * this means my application is not available by resolving its FQDN, if I am not connected to my VPN (and configured private DNS resolution) Here's the kicker: I can still reach the Container App over the public IP of the Container App environment! All I have to do is issue an HTTP request directly to the public IP (not the FQDN) of the Container App while setting the "Host" header to the FQDN of my deployed Container App, and I will be able to successfully reach the Container App. This seems like a very weird setup as the application is not completely private (which we can see from the fact that it's available over its public IP), but it is also not available over the public internet when trying to resolve its actual FQDN. What I expected to get after creating a private endpoint for the Container App Environment: * a way into the Container Apps of the Environment via the private network the private endpoint is in * by default, the Container Apps would stay publically available over their FQDN if the access was not specifically restricted to a private IP range via the Container Apps ingress IP restriction What we get is a partial solution: public access is restricted only on the DNS level for the Container Apps since their FQDNs won't resolve to the public IP of the Container App Environment. But, crucially, they will stay available by directly accessing the public IP with a properly set "Host" header. This does not make sense if you ask me, hope it helps in figuring our which direction this feature needs to go. — Reply to this email directly, view it on GitHub<#867 (comment)<#867 (comment)>>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A2AWLZQZBZDXCUNGZERXMOTZHMNAJAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRYGQYTCMRXHA. You are receiving this because you commented.Message ID: @.> Jack Caplin Chief IT Architect [https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature Phone: 01273 811011 Mobile: 07534563400 Web: www.paxton-access.com<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature<http://www.paxton-access.com%3Chttps://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>> Email: @.@.> Paxton House, Brighton, BN1 9HU Find us on the maphttps://goo.gl/maps/9vNLzgN1qR1zNg9A9 [https://public.paxton-access.co.uk/public/emailfooterimages/image002.png] https://www.facebook.com/PaxtonAccessLtd/ [https://public.paxton-access.co.uk/public/emailfooterimages/image003.png] https://www.linkedin.com/company/paxton-access-ltd/ [https://public.paxton-access.co.uk/public/emailfooterimages/image004.png] https://twitter.com/paxtonaccess [https://public.paxton-access.co.uk/public/emailfooterimages/image005.png] @./> [https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour
That is true, if you create a Container App Environment with properties.vnetConfiguration.internal as true, the L4 LB you get with the environment has a private IP, and there's no way to reach it directly from the public. But in such Container App Environments, you mostly don't really have a need to create a private endpoint. Perhaps to expose your Container Apps privately to VNets other than the one you integrated the Container App Environment with.
My issue is primarily with ACA Envs with public IPs (i.e. properties.vnetConfiguration.internal = false). If creating a private endpoint will make the FQDNs non-routable publically, then the public IP should not accept internet traffic at all, not let in traffic if someone is pointing calls to the public IP of you environment directly.
The better option, if you ask me (and no one is : ]), is leaving the internet route intact even with a created private endpoint. That is, the FQDNs resolve to the actual public IP of the environment when called from the internet, but when the FQDNs resolve from a VNet, they will resolve to the private IP of the endpoint. This is similar to other private endpoint implementations.
Example: the FQDN of a Flex Postgres server will resolve to the private IP of a private endpoint when the DNS resolution call comes from inside a VNet, but will resolve to the public IP of the server when it comes from the internet. Then on the server itself you can configure firewall rules for the public IP, i.e. let in whatever you want from the public, while private access is handled by the private endpoint.
Container Apps themselves have IP restriction rules, which might be used similarly as a Postgres Flex server firewall rule.
—
Reply to this email directly, view it on GitHub<#867 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2AWLZVT7H267LFYI2FCVXDZHQYMNAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRZGQ4DSMRRHE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
But if you're using AppGw for interim hops between Front Door and your internal Container App environment, then you don't need the private endpoint. You just put your AppGw in the same VNet as your Container App Environment and route traffic to its IP, which is already private anyways. Only if your AppGw is integrated into a VNet other than the one your Container App Environment is, private endpoint becomes useful. Which is what I meant by:
|
But with the private endpoints, I no longer need the app gateways. Until private endpoint support for workload profiles, they were the only method (apart from app proxies) to integrate front door.
I have now removed the app gateways. One per region. Less infrastructure to maintain and less cost.
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Nemanja Simpraga ***@***.***>
Sent: Saturday, June 15, 2024 3:12:58 PM
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
I've been using Application Gateway as interim hops.
But if you're using AppGw for interim hops between Front Door and your internal Container App environment, then you don't need the private endpoint. You just put your AppGw in the same VNet as your Container App Environment and route traffic to its IP, which is already private anyways.
Only if your AppGw is integrated into a VNet other than the one your Container App Environment is, private endpoint becomes useful. Which is what I meant by:
Perhaps to expose your Container Apps privately to VNets other than the one you integrated the Container App Environment with.
—
Reply to this email directly, view it on GitHub<#867 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2AWLZVCW2RDTJRALDPRICLZHRDWVAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRZG4ZTMMZSG4>.
You are receiving this because you commented.Message ID: ***@***.***>
Jack Caplin
Chief IT Architect
[https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Phone: 01273 811011
Mobile: 07534563400
Web: www.paxton-access.com<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Email: ***@***.******@***.***>
Paxton House, Brighton, BN1 9HU
Find us on the map<https://goo.gl/maps/9vNLzgN1qR1zNg9A9>
[https://public.paxton-access.co.uk/public/emailfooterimages/image002.png] <https://www.facebook.com/PaxtonAccessLtd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image003.png] <https://www.linkedin.com/company/paxton-access-ltd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image004.png] <https://twitter.com/paxtonaccess> [https://public.paxton-access.co.uk/public/emailfooterimages/image005.png] ***@***.***/>
[https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]<https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour>
|
Really? I am really curious how you send traffic from Front Door to the private endpoint directly. You usually do it via Private Link Service and the Container App's L4 load balancer with a non IP-based backend pool, which is only applicable for Consumption-only environments. Workload profiles still have the IP-based backend pool L4 LB, so I don't understand how a private endpoint helps overcome this issue? |
Any updates? |
We've been enabled for the preview and I can confirm that this does let you create a private endpoint attached to the container app environment (so you don't have to create a private link service on the internal load balancer). However there is still the missing piece that Front Door does not support adding a private link origin attached to the container app environment, which I think is what most people here are after. @chinadragon0515 - is Front Door going to be updated with origin support for direct private endpoint connectivity to a container app environment? |
No description provided.
The text was updated successfully, but these errors were encountered: