将静态公共地址分配给Azure容器实例部署 [英] Assign Static Public Address to Azure Container Instance deployment

问题描述

上下文

正在研究一个项目，以将一个宁静的API应用程序和单独的TCP服务部署到Azure容器实例。由于遗留原因，TCP服务需要一个静态Ivv4地址。

问题

我试图隔离我的选项，以将静态静态IP地址分配给Azure容器实例上托管的TCP服务。有哪些选项？

已测试

1. 具有静态公共IP地址的已部署Azure应用程序网关。 App Gateway允许将后端池定向到IP或FQDN端点。这似乎是可操作的（见图）。后端池中的所有选项似乎都只允许HTTP和HTTPS，而不允许自定义端口。如果TCP服务可以在80上侦听并且在443上侦听Web API，则可以对此进行操作。应用程序网关仅是用于HTTP和HTTPS流量的第7层资源。

   
   



2. Azure负载均衡器。只能针对VM，可用性集或VM规模集。

   
   



3. 为资源分配静态地址。

   
   



4. 流量管理器。似乎不是此部署的正确资源类型。

   
   

请参见图。当我通过BASH会话查询时，API和TCP SERVICE的容器实例具有相同的专用IP地址。建议将它们托管在附图中的同一主机上（标记为容器组）。不知道这是不是正确的标签，对不起，我是Container技术的新手。

谢谢您的任何建议。
斯科特

解决方案

可能的解决方案

可能有一个解决方案：

• 创建新的VNET


• 地址范围10.60.0.0/23


• 创建的子网容器10.60.0.0/24


• 创建的VNET防火墙资源


• 创建的子网防火墙10.60.1.0/24


• 为防火墙资源分配静态公共地址

现在，防火墙规则允许以下操作：

• NAT规则-典型端口转换


• 网络规则-路由地址


• 应用程序规则-路由FQDN

正努力将容器部署到此dev子网选项在那里，重定向端口，ip或FQDN。游戏的变化是能够为VNET中的资源分配静态公共地址，并允许NAT，网络或应用程序规则重定向流量。

将在以下位置更新线程

Update Feb 2019

好，所以不要使用Azure防火墙资源。它非常昂贵，在我来说，无论如何都不算​​合算，@每月大约500英镑。我没有时间使用防火墙来测试该理论，但是由于成本的原因，没有必要进一步研究它。

Azure容器实例可以公开容器使用IP地址和完全限定的域名（FQDN）直接连接到Internet。创建容器实例时，可以指定一个自定义DNS名称标签，以便可以在customlabel.azureregion.azurecontainer.io上访问您的应用程序。不幸的是，当前ACI不支持静态公共IP地址。

将容器组部署到虚拟网络时，某些限制适用。

• 要将容器组部署到子网，该子网不能包含任何其他资源类型。在将容器组部署到现有子网之前，请从现有子网中删除所有现有资源，或创建一个新子网。




• 部署到虚拟网络的容器组当前尚不存在支持公用IP地址或DNS名称标签。




• 由于涉及到额外的网络资源，因此将容器组部署到虚拟网络通常比部署虚拟服务器慢一些。标准容器实例。

2020年3月更新

由于以下内容的引入，该帖子已于3月更新，以供参考功能20/03/20：

本文介绍了一种使用Azure应用程序网关公开容器组的静态公共IP地址的方法。当您需要在Azure容器实例中运行的面向外部的容器化应用程序的静态入口点时，请执行以下步骤。

在本文中，您将使用Azure CLI创建此方案的资源：

• Azure虚拟网络


• 在虚拟网络中部署的容器组（预览）托管小型Web应用程序


• 具有公共前端IP地址的应用程序网关
  ，在网关
  上托管网站的监听器和路由到后端容器组

只要应用程序网关运行且容器组公开了稳定的
专用IP地址在网络的代理子网中，可以通过此公共IP地址访问容器组。

创建虚拟网络

  az group create --name myResourceGroup --location eastus 
  

使用t创建虚拟网络他az网络vnet创建命令。此命令在网络中创建myAGSubnet子网。

  az network vnet create \ 
 --name myVNet \ 
-资源组myResourceGroup \ 
 --location eastus \ 
-地址前缀10.0.0.0/16 \ 
-子网名称myAGSubnet \ 
 --subnet-prefix 10.0.1.0/24 
  

使用az网络vnet子网创建命令为后端容器组创建一个子网。

  az network vnet子网create \ 
 --name myACISubnet \ 
 --resource-group myResourceGroup \ 
 --vnet名称myVNet \ 
-地址前缀10.0.2.0/24 
  

使用az network public-ip create命令创建静态公共IP资源。在随后的步骤中，将该地址配置为应用程序网关的前端。

  az group create --name myResourceGroup-位置Eastus 
 
 az网络public-ip create \ 
 --resource-group myResourceGroup \ 
 --name myAGPublicIPAddress \ 
-分配方法静态\ 
 --sku标准
  

创建容器组

运行以下az容器创建，以在上一步中配置的虚拟网络中创建一个容器组。

<该组部署在myACISubnet子网中，并包含一个名为appcontainer的实例，该实例提取aci-helloworld映像。如文档中其他文章所示，此图像打包了一个用Node.js编写的小型Web应用程序，该应用程序提供了静态HTML页面。

  az容器创建\ 
 --name appcontainer \ 
 --resource-group myResourceGroup \ 
 --image mcr.microsoft.com/azuredocs/aci-helloworld \ 
 --vnet myVNet \ 
 --subnet myACISubnet 
  

成功部署后，容器组在虚拟网络中被分配了一个专用IP地址。例如，运行以下az container show命令以检索该组的IP地址：

  az container show \ 
 --name appcontainer --resource-group myResourceGroup \ 
 --query ipAddress.ip --output tsv 
  

输出类似于：10.0.2.4。

要在以后的步骤中使用，请将IP地址保存在环境变量中：

  ACI_IP = $（az容器显示\ 
 --name appcontainer \ 
 --resource-group myResourceGroup \ 
 --query ipAddress.ip --output tsv）
  

创建应用程序网关

按照应用程序网关快速入门中的步骤在虚拟网络中创建应用程序网关。以下az network application-gateway create命令使用公共前端IP地址和到后端容器组的路由创建网关。有关网关设置的详细信息，请参见应用程序网关文档。

  az网络应用程序网关创建\ 
-名称myAppGateway \ 
-位置eastus \ 
-资源组myResourceGroup \ 
-容量2 \ 
 --sku Standard_v2 \ 
 --http-settings-protocol http \ 
 --public-ip-address myAGPublicIPAddress \ 
 --vnet名称myVNet \ 
-子网myAGSubnet \ 
 --servers $ ACI_IP 
  

Azure最多可能需要15分钟才能创建应用程序网关

测试公用IP地址
现在，您可以测试对在应用程序网关后面的容器组中运行的Web应用程序的访问。

运行az network public-ip show命令以检索网关的前端公共IP地址：

  az network public-ip show \ 
 --resource-group myresourcegroup \ 
 --name myAGPublicIPAddress \ 
 --query [ ipAddress] \ 
 --output tsv 
  

输出是一个公共IP地址，类似于：52.142.18.133。

要在配置成功后查看正在运行的Web应用程序，请在浏览器中导航至网关的公共IP地址。成功访问类似于：

浏览器屏幕快照，显示在Azure容器实例中运行的应用程序

引用
https://docs.microsoft.com / en-us / azure / container-instances / container-instances-application-gateway

Context

Working on a project to deploy a restful API application and seperate TCP service to an Azure Container Instance. The TCP service requires a static Ipv4 address due to legacy reasons.

Question

I am attempting to isolate my options to assign as static public IP address to the TCP service hosted on an Azure Container Instance. What are the options ?

Tested

1. Deployed Azure Application Gateway with a static public IP address. The App Gateway allows backend pool to be directed to an IP or FQDN endpoint. This appears to be operational (see diagram). Altough the options from the backend pool appear to allow HTTP and HTTPS only , not custom ports. Maybe this can be manipulated if the TCP service can listen on 80 and web API on 443. App gateway is Layer 7 resource for HTTP and HTTPS traffic only.

2. Azure Load Balancer. Could only be directed at the VM, Availablity Set or VM Scale Set.

3. Assign static address to the Resource. Not allowed for Container Instances.

4. Traffic Manager. Doesn't appear to be the correct type of resource for this deployment.

See diagram. The Container Instances for API and TCP SERVICE have the same private IP address when I query via a BASH session. Suggested they are hosted on the same host (labled as Container Group) in the attached diagram. Not sure if that is the correct label sorry, I am new to Container tech.

Thank you for any advice. Scott

解决方案

Possible Solution

May have a solution:

• Created a new VNET
• Address range 10.60.0.0/23
• Created subnet Containers 10.60.0.0/24
• Created VNET Firewall resource
• Created subnet Firewall 10.60.1.0/24
• Assigned Static Public Address to Firewall Resource

Now the Firewall "Rules" allow for the following:

• NAT rules - typical port translation
• Network Rules - route addresses
• Application Rules - route FQDN

Working to deploy the container to this dev subnet , on the face of it all the options are there , redirect port, ip or FQDN. The game changes is teh ability to assign a static public address to a resource within the VNET and allow NAT, network or app rules to redirect traffic.

Will update the thread on result tomorrow.

Update Feb 2019

Ok so dont use an Azure Firewall Resource. Its very expensive and in my case not in anyway cost effective @ approx £500 per month. I did not get the time to test the theory using the firewall , but due to the cost there was not any point in following it further.

Azure Container Instances enables exposing containers directly to the internet with an IP address and a fully qualified domain name (FQDN). When you create a container instance, you can specify a custom DNS name label so your application is reachable at customlabel.azureregion.azurecontainer.io. Unfortunately Static Public IP addresses are not supported on ACI at the moment.

Certain limitations apply when you deploy container groups to a virtual network.

• To deploy container groups to a subnet, the subnet cannot contain any other resource types. Remove all existing resources from an existing subnet prior to deploying container groups to it, or create a new subnet.

• Container groups deployed to a virtual network do not currently support public IP addresses or DNS name labels.

• Due to the additional networking resources involved, deploying a container group to a virtual network is typically somewhat slower than deploying a standard container instance.

https://feedback.azure.com/forums/602224-azure-container-instances

Solution Deployed

• Ubuntu VM created using Azure Image
• Static public address assigned to the VM
• Api and Service deployed in docker image to the VM
• Arm template used for deployment , integrated with DevOps build and release
• Cost per month £23.52 (Cores: 2, 3GB ram, 16GB HD)

This was initially the solution but offloading and managing the SSL cert added complexity.

Update March 2019 - New Solution Deployed

If anyone is interested (not many base on the number of times this thread has been viewed) the final solution deployed was this:

• Provision App Service Plan
• Deployed "API" App Service using a Container Instance to host the API on port 443.
• Dynamic address and standard SSL cert deployed to "API" App Service.
• Deployed "Service" App Service using a Container Instance to host the Service port 80.
• Static address and IP based SSL cert deployed to "Service" App Service. This has the effect of fixing the IP address on the service and meeting my "i need a static ip address" condition.
• Costs about £65 a month to host approx.

Worth noting the only reason the cert was deployed was to fix the IP address on the "Service" app service. Its a work around to resolve the lack of support on Azure currently to allow users to apply a static IP address to a container instance.

Update March 2020

Post updated in March for reference due to the introduction of the following feature 20/03/20:

This article shows one way to expose a static, public IP address for a container group by using an Azure application gateway. Follow these steps when you need a static entry point for an external-facing containerized app that runs in Azure Container Instances.

In this article you use the Azure CLI to create the resources for this scenario:

• An Azure virtual network
• A container group deployed in the virtual network (preview) that hosts a small web app
• An application gateway with a public frontend IP address, a listener to host a website on the gateway, and a route to the backend container group

As long as the application gateway runs and the container group exposes a stable private IP address in the network's delegated subnet, the container group is accessible at this public IP address.

Create virtual network

az group create --name myResourceGroup --location eastus

Create a virtual network with the az network vnet create command. This command creates the myAGSubnet subnet in the network.

az network vnet create \
  --name myVNet \
  --resource-group myResourceGroup \
  --location eastus \
  --address-prefix 10.0.0.0/16 \
  --subnet-name myAGSubnet \
  --subnet-prefix 10.0.1.0/24

Use the az network vnet subnet create command to create a subnet for the backend container group. Here it's named myACISubnet.

az network vnet subnet create \
  --name myACISubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet   \
  --address-prefix 10.0.2.0/24

Use the az network public-ip create command to create a static public IP resource. In a later step, this address is configured as the front end of the application gateway.

az group create --name myResourceGroup --location eastus

az network public-ip create \
  --resource-group myResourceGroup \
  --name myAGPublicIPAddress \
  --allocation-method Static \
  --sku Standard

Create container group

Run the following az container create to create a container group in the virtual network you configured in the previous step.

The group is deployed in the myACISubnet subnet and contains a single instance named appcontainer that pulls the aci-helloworld image. As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page.

az container create \
  --name appcontainer \
  --resource-group myResourceGroup \
  --image mcr.microsoft.com/azuredocs/aci-helloworld \
  --vnet myVNet \
  --subnet myACISubnet

When successfully deployed, the container group is assigned a private IP address in the virtual network. For example, run the following az container show command to retrieve the group's IP address:

az container show \
  --name appcontainer --resource-group myResourceGroup \
  --query ipAddress.ip --output tsv

Output is similar to: 10.0.2.4.

For use in a later step, save the IP address in an environment variable:

ACI_IP=$(az container show \
  --name appcontainer \
  --resource-group myResourceGroup \
  --query ipAddress.ip --output tsv)

Create application gateway

Create an application gateway in the virtual network, following the steps in the application gateway quickstart. The following az network application-gateway create command creates a gateway with a public frontend IP address and a route to the backend container group. See the Application Gateway documentation for details about the gateway settings.

az network application-gateway create \
  --name myAppGateway \
  --location eastus \
  --resource-group myResourceGroup \
  --capacity 2 \
  --sku Standard_v2 \
  --http-settings-protocol http \
  --public-ip-address myAGPublicIPAddress \
  --vnet-name myVNet \
  --subnet myAGSubnet \
  --servers "$ACI_IP" 

It can take up to 15 minutes for Azure to create the application gateway.

Test public IP address Now you can test access to the web app running in the container group behind the application gateway.

Run the az network public-ip show command to retrieve the frontend public IP address of the gateway:

az network public-ip show \
--resource-group myresourcegroup \
--name myAGPublicIPAddress \
--query [ipAddress] \
--output tsv

Output is a public IP address, similar to: 52.142.18.133.

To view the running web app when successfully configured, navigate to the gateway's public IP address in your browser. Successful access is similar to:

Browser screenshot showing application running in an Azure container instance

Ref https://docs.microsoft.com/en-us/azure/container-instances/container-instances-application-gateway

这篇关于将静态公共地址分配给Azure容器实例部署的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！