|
| 1 | +--- |
| 2 | +title: About using Azure Virtual Network |
| 3 | +description: Scenarios, limitations, and resources to deploy container groups to an Azure virtual network. |
| 4 | +ms.topic: article |
| 5 | +ms.date: 04/20/2020 |
| 6 | +ms.author: danlep |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +# Virtual network background and scenarios |
| 11 | + |
| 12 | +[Azure Virtual Network](../virtual-network/virtual-networks-overview.md) provides secure, private networking for your Azure and on-premises resources. By deploying container groups into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. This article provides background about virtual network scenarios, limitations, and resources. |
| 13 | + |
| 14 | +For deployment information, see: |
| 15 | + |
| 16 | +*[Deploy container instances into an Azure virtual network](container-instances-vnet.md). |
| 17 | +* [Regions and resource availability](container-instances-region-availability.md#availability---virtual-network-deployment) for container group deployments to a virtual network |
| 18 | + |
| 19 | +## Scenarios |
| 20 | + |
| 21 | +Container groups deployed into an Azure virtual network enable scenarios like: |
| 22 | + |
| 23 | +* Direct communication between container groups in the same subnet |
| 24 | +* Send [task-based](container-instances-restart-policy.md) workload output from container instances to a database in the virtual network |
| 25 | +* Retrieve content for container instances from a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) in the virtual network |
| 26 | +* Container communication with on-premises resources through a [VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](../expressroute/expressroute-introduction.md) |
| 27 | +* Integrate with [Azure Firewall](../firewall/overview.md) to identify outbound traffic originating from the container |
| 28 | + |
| 29 | +## Unsupported networking scenarios |
| 30 | + |
| 31 | +* **Azure Load Balancer** - Placing an Azure Load Balancer in front of container instances in a networked container group is not supported |
| 32 | +* **Virtual network peering** |
| 33 | + * You can only peer your virtual network to one other virtual network |
| 34 | + * Global virtual network peering (connecting virtual networks across Azure regions) is not supported |
| 35 | +* **Private link** - Accessing Azure resources at a private endpoint over a private link is not supported |
| 36 | +* **Public IP or DNS label** - Container groups deployed to a virtual network don't currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name |
| 37 | +* **Internal name resolution** - Name resolution for Azure resources in the virtual network via the internal Azure DNS is not supported |
| 38 | + |
| 39 | +## Other limitations |
| 40 | + |
| 41 | +* To deploy container groups to a subnet, the subnet can't contain other resource types. Remove all existing resources from an existing subnet prior to deploying container groups to it, or create a new subnet. |
| 42 | +* You can't use a [managed identity](container-instances-managed-identity.md) in a container group deployed to a virtual network. |
| 43 | +* You can't enable a [liveness probe](container-instances-liveness-probe.md) or [readiness probe](container-instances-readiness-probe.md) in a container group deployed to a virtual network. |
| 44 | +* Due to the additional networking resources involved, deploying a container group to a virtual network is typically slower than deploying a standard container instance. |
| 45 | + |
| 46 | +## Required network resources |
| 47 | + |
| 48 | +There are three Azure Virtual Network resources required for deploying container groups to a virtual network: the [virtual network](#virtual-network) itself, a [delegated subnet](#subnet-delegated) within the virtual network, and a [network profile](#network-profile). |
| 49 | + |
| 50 | +### Virtual network |
| 51 | + |
| 52 | +A virtual network defines the address space in which you create one or more subnets. You then deploy Azure resources (like container groups) into the subnets in your virtual network. |
| 53 | + |
| 54 | +### Subnet (delegated) |
| 55 | + |
| 56 | +Subnets segment the virtual network into separate address spaces usable by the Azure resources you place in them. You create one or several subnets within a virtual network. |
| 57 | + |
| 58 | +The subnet that you use for container groups may contain only container groups. When you first deploy a container group to a subnet, Azure delegates that subnet to Azure Container Instances. Once delegated, the subnet can be used only for container groups. If you attempt to deploy resources other than container groups to a delegated subnet, the operation fails. |
| 59 | + |
| 60 | +### Network profile |
| 61 | + |
| 62 | +A network profile is a network configuration template for Azure resources. It specifies certain network properties for the resource, for example, the subnet into which it should be deployed. When you first use the [az container create][az-container-create] command to deploy a container group to a subnet (and thus a virtual network), Azure creates a network profile for you. You can then use that network profile for future deployments to the subnet. |
| 63 | + |
| 64 | +To use a Resource Manager template, YAML file, or a programmatic method to deploy a container group to a subnet, you need to provide the full Resource Manager resource ID of a network profile. You can use a profile previously created using [az container create][az-container-create], or create a profile using a Resource Manager template (see [template example](https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-vnet) and [reference](https://docs.microsoft.com/azure/templates/microsoft.network/networkprofiles)). To get the ID of a previously created profile, use the [az network profile list][az-network-profile-list] command. |
| 65 | + |
| 66 | +In the following diagram, several container groups have been deployed to a subnet delegated to Azure Container Instances. Once you've deployed one container group to a subnet, you can deploy additional container groups to it by specifying the same network profile. |
| 67 | + |
| 68 | +![Container groups within a virtual network][aci-vnet-01] |
| 69 | + |
| 70 | +## Next steps |
| 71 | + |
| 72 | +* For deployment examples with the Azure CLI, see [Deploy container instances into an Azure virtual network](container-instances-vnet.md). |
| 73 | +* To deploy a new virtual network, subnet, network profile, and container group using a Resource Manager template, see [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-vnet |
| 74 | +). |
| 75 | + |
| 76 | + |
| 77 | +<!-- IMAGES --> |
| 78 | +[aci-vnet-01]: ./media/container-instances-virtual-network-concepts/aci-vnet-01.png |
| 79 | + |
| 80 | +<!-- LINKS - Internal --> |
| 81 | +[az-container-create]: /cli/azure/container#az-container-create |
| 82 | + |
0 commit comments