How can we expose an ACI instance while in a VNet?

martin 60 Reputation points
2023-12-22T08:22:12.3566667+00:00

I have an ACI that is running a REST API that needs to be exposed publicly, but needs to access resources inside a vnet.

For some reason, unlike normal VMs, if an ACI is inside a vnet, it cannot have a public IP address. If you try to give it a DNS name it fails.

The only option seems to be to use an Application Gateway as described here:
https://video2.skills-academy.com/en-us/azure/container-instances/container-instances-application-gateway

But this approach has a fatal flaw, as indicated in the documentation itself: "If the container group is stopped, started, or restarted, the container group's private IP is subject to change. If this happens, you will need to update the application gateway configuration."

The Application Gateway has the option to select a backend pool by resource name, but this is only for normal VMs. The other option is to put in the IP address directly.

An ACI can easily get restarted without knowing. From experience, it happens relatively often that the host kills it and restarts it, possibly taking a different IP.

What is the right approach to expose a service running on an ACI instance on the internet, and at the same time have it access resources behind a vnet? The Application Gateway approach is evidently not the right approach.

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
700 questions
0 comments
Accepted answer
  1. v-vvellanki-MSFT 4,920 Reputation points Microsoft Vendor
    2023-12-22T09:07:13.6533333+00:00

    Hi @martin ,
    Thanks for contacting Microsoft Q&A platform.

    My approach to solve this would be to use init containers.
    Any container group can have up to 59 init container that act the same as k8s init containers
    Once in the init container, you can pull the updated container instance private ip:

    ipAddress=$(az container show --resource-group "MyResourceGroup" --name "MyContainer" -o json --query ipAddress.ip)

    Then update the application gateway backend pool ip:

    az network application-gateway address-pool update -g MyResourceGroup --gateway-name MyAppGateway -n MyAddressPool --servers $ipAddress

    Note: every init container must exit successfully beforeyour application begins, so make sure you have a restart policy for the init containers in case it fails.
    Note 2: To give the container instance correct permissions in your Azure portal you can use managed identity and IAM.
    Note 3: A container with Azure cli: mcr.microsoft.com/azure-cli

    Here is a reference on init containers

    Hope this helps you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.