Is It Possible to Restrict Access to Azure Container Instance with IP restrictions
TODAY:
Not with Container Groups, if you open up a port on the container group, it is public to the world.
Container-Group is the little brother (mini version) of full-on AKS.
AKS, the big brother, gives you more control.
See : https://docs.microsoft.com/en-us/azure/aks/internal-lb
-IpAddressType Accepted values: Public
Note, the only value accepted in documentation is "Public"
However, they put the placeholder in for future arguments besides "Public"...so I think they see this as a gap in functionality........
As mentioned in the above comment, you can expose them to VNET now (in Preview)
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet
Once connected to a VNET you can use Network Security Groups to only allow traffic from allowed IPs or networks. The route you are currently taking will not work.
Seems like no, at least natively with Azure Container Instance.
There are two options to deploy Azure Container Instances:
- publicIP - you can't restrict access to this type of deployment.
- Custom VNet - you can apply restrictions with the network security groups (NSG), but Azure Container Instances doesn't support exposing containers publicly in this case.
See documentation:
Unsupported networking scenarios:
Public IP or DNS label - Container groups deployed to a virtual network don't currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name
As an option, you can try to do the following (it supports restrictions for HTTP/HTTPS traffic only):
- Put the Application Gateway before the ACI deployed in custom VNet to expose containers publicly (you can find some examples, like this one)
- Add IP whitelisting restrictions to NSG in custom VNet for ACI.