Container Apps with Vnet seems to download images over the Load balancer?

Terranca 0

Hey all, I'm experimenting with using Container Apps and my setup seems fairly simple: I have a Container App using a VNET and a (public) ACR hosting the docker image. When my app spins up, I'm seeing quite big spikes (500MB in a few seconds) in the load balancer traffic (on port 0, inbound, which is weird?) being charged. I have the feeling that the image is being pulled over the load balancer ports and not internally through Service Endpoints? I have Service Endpoints set up for the VNet for both Microsoft.ContainerRegistry and Microsoft.Storage (for the region the registry is hosted) Am I missing something here?

1 answer

Anveshreddy Nimmala 3,545 Reputation points Microsoft Vendor

2024-02-12T13:37:02.9166667+00:00

Hello Terranca, Welcome to Microsoft Q&A,Thankyou for posting your Query here. you have set up Service Endpoints correctly for the VNet. However, it is possible that the image is being pulled over the load balancer ports instead of through Service Endpoints.

i.To verify this, you can check the logs of your Container App to see if there are any errors related to Service Endpoints. ii. You can also check the logs of your ACR to see if there are any requests coming from the load balancer IP address. If you find that the image is being pulled over the load balancer ports, you can try the following steps to troubleshoot the issue: A. Check if the subnet of your Container App is correctly configured to use the Service Endpoints. You can do this by going to the subnet configuration of your VNet and checking if the subnet is associated with the correct Service Endpoint. B. Also check ip address of Container App is correctly configured to your service endpoints by going to ip address configuration of your container app and see whether IP is associated with correct service endpoint. C. confirm whether firewall rules of your ACR are correctly configured to allow traffic from IP address to container app by checking your firewall configuration of your Acr if ip address of your container app is allowed. Hope this helps you, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!.
Please sign in to rate this answer.
Anveshreddy Nimmala 3,545 Reputation points Microsoft Vendor

2024-02-14T04:24:25.69+00:00

Hello Terranca, If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!.

Terranca 0 Reputation points

2024-02-14T11:08:03.7666667+00:00

Hi, I created a Traffic Analysis, which helps to analyse the stuff you are mentioning, and I do see most traffic from the (hidden) container vm's towards an IP that seems to be related to: Storage, Storage.WestEurope, AzureCloud.westeurope, AzureCloud. Which I would expect to be covered by the vnet service endpoints -- still not sure why it's using the public IP for those though...

Anveshreddy Nimmala 3,545 Reputation points Microsoft Vendor

2024-02-15T05:04:09.46+00:00

Hello Terranca,

thankyou for replying back

This traffic should be covered by the VNet Service Endpoints that you have set up. However, it's unclear why the traffic is using the public IP instead of the Service Endpoints.

To troubleshoot this issue further, you can try the following steps: Check if the Service Endpoints are correctly configured for the subnet that your Container App is using. You can do this by going to the subnet configuration of your VNet and checking if the subnet is associated with the correct Service Endpoint.

Check if the IP address of your Container App is correctly configured to use the Service Endpoints. You can do this by going to the IP address configuration of your Container App and checking if the IP address is associated with the correct Service Endpoint.

Check if the firewall rules of your Storage account are correctly configured to allow traffic from the IP address of your Container App. You can do this by checking the firewall configuration of your Storage account to see if the IP address of your Container App is allowed.

Check if the Storage account is correctly configured to use the VNet Service Endpoints. You can do this by going to the Networking configuration of your Storage account and checking if the VNet and subnet are correctly configured.

Hope this helps you, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!.

Terranca 0 Reputation points

2024-02-15T22:31:36.1933333+00:00

Hi, thanks for the suggestions. In the end, I decided to delete my entire Container Apps Environment and recreate it from scratch. The outcome was completely different; instead of 2 ipv4's it only had 1, I can't see the kubernetes nodes in the vnet's "Connected devices" anymore, and the subnet was delegated to Microsoft.App/managedEnvironments. And, more importantly, the loadbalancer is not pulling the image over the public IP anymore. Seems the template I used through the Azure portal (I think just consumption only with private vnet) was causing the issue.

Anveshreddy Nimmala 3,545 Reputation points Microsoft Vendor

2024-02-16T05:18:20.4133333+00:00

Hello Terranca, thankyou for replying back

It's great to hear that recreating your Container Apps environment from scratch resolved the issue! It sounds like the issue may have been caused by a misconfiguration in the original environment setup. it's possible that the original environment was set up with a public IP address, which caused the load balancer to pull the image over the public IP instead of using the VNet Service Endpoints. Additionally, it's possible that the original environment was not properly configured to use the VNet, which could have caused the Kubernetes nodes to appear as connected devices in the VNet. By recreating the environment from scratch, you were able to ensure that the environment was properly configured to use the VNet and that the load balancer was not using the public IP address. This is likely why you are no longer seeing the issues you were experiencing before. please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community and confirm if we can close the thread.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Container Apps with Vnet seems to download images over the Load balancer?

1 answer

Your answer