|
| 1 | +--- |
| 2 | +title: Configure Container Group Egress with NAT Gateway |
| 3 | +description: Configure NAT gateway for Azure Container Instances workloads that use the NAT gateway's public IP address for static egress |
| 4 | +author: macolso |
| 5 | +ms.topic: conceptual |
| 6 | +ms.service: container-instances |
| 7 | +services: container-instances |
| 8 | +ms.author: macolso |
| 9 | +ms.date: 02/28/2022 |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure a NAT gateway for static IP address for outbound traffic from a container group |
| 13 | + |
| 14 | +Setting up a [container group](container-instances-container-groups.md) with an external-facing IP address allows external clients to use the IP address to access a container in the group. For example, a browser can access a web app running in a container. However, currently a container group uses a different IP address for outbound traffic. This egress IP address isn't exposed programmatically, which makes container group monitoring and configuration of client firewall rules more complex. |
| 15 | + |
| 16 | +This article provides steps to configure a container group in a [virtual network](container-instances-virtual-network-concepts.md) integrated with a [Network Address Translation (NAT) gateway](../virtual-network/nat-gateway/nat-overview.md). By configuring a NAT gateway to SNAT a subnet address range delegated to Azure Container Instances (ACI), you can identify outbound traffic from your container groups. The container group egress traffic will use the public IP address of the NAT gateway. A single NAT gateway can be used by multiple container groups deployed in the virtual network's subnet delegated to ACI. |
| 17 | + |
| 18 | +In this article you use the Azure CLI to create the resources for this scenario: |
| 19 | + |
| 20 | +* Container groups deployed on a delegated subnet [in the virtual network](container-instances-vnet.md) |
| 21 | +* A NAT gateway deployed in the network with a static public IP address |
| 22 | + |
| 23 | +You then validate egress from example container groups through the NAT gateway. |
| 24 | + |
| 25 | +> [!NOTE] |
| 26 | +> The ACI service recommends integrating with a NAT gateway for containerized workoads that have static egress but not static ingress requirements. For ACI architecture that supports both static ingress and egress, please see the following tutorial: [Use Azure Firewall for ingress and egress](container-instances-egress-ip-address.md). |
| 27 | +## Before you begin |
| 28 | +You must satisfy the following requirements to complete this tutorial: |
| 29 | + |
| 30 | +**Azure CLI**: You must have Azure CLI version installed on your local computer. If you need to install or upgrade, see [Install the Azure CLI][azure-cli-install] |
| 31 | + |
| 32 | +**Azure resource group**: If you don't have an Azure resource group already, create a resource group with the [az group create][az-group-create] command. Below is an example. |
| 33 | +```azurecli |
| 34 | +az group create --name myResourceGroup --location eastus |
| 35 | +``` |
| 36 | +## Deploy ACI in a virtual network |
| 37 | + |
| 38 | +In a typical case, you might already have an Azure virtual network in which to deploy a container group. For demonstration purposes, the following commands create a virtual network and subnet when the container group is created. The subnet is delegated to Azure Container Instances. |
| 39 | + |
| 40 | +The container group runs a small web app from the `aci-helloworld` image. As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page. |
| 41 | + |
| 42 | +> [!TIP] |
| 43 | +> To simplify the following command examples, use an environment variable for the resource group's name: |
| 44 | +> ```console |
| 45 | +> export RESOURCE_GROUP_NAME=myResourceGroup |
| 46 | +> ``` |
| 47 | +> This tutorial will make use of the environment variable going forward. |
| 48 | +Create the container group with the [az container create][az-container-create] command: |
| 49 | +
|
| 50 | +```azurecli |
| 51 | +az container create \ |
| 52 | + --name appcontainer \ |
| 53 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 54 | + --image mcr.microsoft.com/azuredocs/aci-helloworld \ |
| 55 | + --vnet aci-vnet \ |
| 56 | + --vnet-address-prefix 10.0.0.0/16 \ |
| 57 | + --subnet aci-subnet \ |
| 58 | + --subnet-address-prefix 10.0.0.0/24 |
| 59 | +``` |
| 60 | +
|
| 61 | +> [!NOTE] |
| 62 | +> Adjust the value of `--subnet address-prefix` for the IP address space you need in your subnet. The smallest supported subnet is /29, which provides eight IP addresses. Some >IP addresses are reserved for use by Azure, which you can read more about [here](../virtual-network/ip-services/private-ip-addresses.md). |
| 63 | +## Create a public IP address |
| 64 | + |
| 65 | +In the following sections, use the Azure CLI to deploy an Azure NAT gateway in the virtual network. For background, see [Tutorial: Create a NAT gateway using Azure CLI](../virtual-network/nat-gateway/tutorial-create-nat-gateway-cli.md). |
| 66 | + |
| 67 | +First, use the [az network vnet public-ip create][az-network-public-ip-create] to create a public IP address for the NAT gateway. This will be used to access the Internet. You will receive a warning about an upcoming breaking change where Standard SKU IP addresses will be availability zone aware by default. You can learn more about the use of availability zones and public IP addresses [here](../virtual-network/ip-services/virtual-network-network-interface-addresses.md). |
| 68 | + |
| 69 | +```azurecli |
| 70 | +az network public-ip create \ |
| 71 | + --name myPublicIP \ |
| 72 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 73 | + --sku standard \ |
| 74 | + --allocation static |
| 75 | +``` |
| 76 | + |
| 77 | +Store the public IP address in a variable. We will use this later during the validation step. |
| 78 | + |
| 79 | +```azurecli |
| 80 | +NG_PUBLIC_IP="$(az network public-ip show \ |
| 81 | + --name myPublicIP \ |
| 82 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 83 | + --query ipAddress --output tsv)" |
| 84 | +``` |
| 85 | + |
| 86 | +## Deploy a NAT gateway into a virtual network |
| 87 | + |
| 88 | +Use the following [az network nat gateway create][az-network-nat-gateway-create] to create a NAT gateway that uses the public IP you created in the previous step. |
| 89 | + |
| 90 | +```azurecli |
| 91 | +az network nat gateway create \ |
| 92 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 93 | + --name myNATgateway \ |
| 94 | + --public-ip-addresses myPublicIP \ |
| 95 | + --idle-timeout 10 |
| 96 | +``` |
| 97 | +## Configure NAT service for source subnet |
| 98 | + |
| 99 | +We'll configure the source subnet **aci-subnet** to use a specific NAT gateway resource **myNATgateway** with [az network vnet subnet update][az-network-vnet-subnet-update]. This command will activate the NAT service on the specified subnet. |
| 100 | + |
| 101 | +```azurecli |
| 102 | +az network vnet subnet update \ |
| 103 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 104 | + --vnet-name aci-vnet \ |
| 105 | + --name aci-subnet \ |
| 106 | + --nat-gateway myNATgateway |
| 107 | +``` |
| 108 | + |
| 109 | +## Test egress from a container group |
| 110 | + |
| 111 | +Test inbound access to the *appcontainer* running in the virtual network by browsing to the firewall's public IP address. Previously, you stored the public IP address in variable $NG_PUBLIC_IP |
| 112 | + |
| 113 | +Deploy the following sample container into the virtual network. When it runs, it sends a single HTTP request to `http://checkip.dyndns.org`, which displays the IP address of the sender (the egress IP address). If the application rule on the firewall is configured properly, the firewall's public IP address is returned. |
| 114 | + |
| 115 | +```azurecli |
| 116 | +az container create \ |
| 117 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 118 | + --name testegress \ |
| 119 | + --image mcr.microsoft.com/azuredocs/aci-tutorial-sidecar \ |
| 120 | + --command-line "curl -s http://checkip.dyndns.org" \ |
| 121 | + --restart-policy OnFailure \ |
| 122 | + --vnet aci-vnet \ |
| 123 | + --subnet aci-subnet |
| 124 | +``` |
| 125 | + |
| 126 | +View the container logs to confirm the IP address is the same as the public IP address we created in the first step of the tutorial. |
| 127 | + |
| 128 | +```azurecli |
| 129 | +az container logs \ |
| 130 | + --resource-group $RESOURCE_GROUP_NAME \ |
| 131 | + --name testegress |
| 132 | +``` |
| 133 | + |
| 134 | +Output is similar to: |
| 135 | + |
| 136 | +```console |
| 137 | +<html><head><title>Current IP Check</title></head><body>Current IP Address: 52.142.18.133</body></html> |
| 138 | +``` |
| 139 | +This IP address should match the public IP address created in the first step of the tutorial. |
| 140 | + |
| 141 | +```Bash |
| 142 | +echo $NG_PUBLIC_IP |
| 143 | +``` |
| 144 | + |
| 145 | +## Next steps |
| 146 | + |
| 147 | +In this article, you set up container groups in a virtual network behind an Azure NAT gateway. By using this configuration, you set up a single, static IP address egress from Azure Container Instances container groups. |
| 148 | + |
| 149 | +For troubleshooting assistance, see the [Troubleshoot Azure Virtual Network NAT connectivity](../virtual-network/nat-gateway/troubleshoot-nat.md). |
| 150 | + |
| 151 | +[az-group-create]: /cli/azure/group#az_group_create |
| 152 | +[az-container-create]: /cli/azure/container#az_container_create |
| 153 | +[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_create |
| 154 | +[az-network-public-ip-create]: /cli/azure/network/public-ip/#az_network_public_ip_create |
| 155 | +[az-network-public-ip-show]: /cli/azure/network/public-ip/#az_network_public_ip_show |
| 156 | +[az-network-nat-gateway-create]: /cli/azure/network/nat/gateway/#az_network_nat_gateway_create |
| 157 | +[az-network-vnet-subnet-update]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_update |
| 158 | +[az-container-exec]: /cli/azure/container#az_container_exec |
| 159 | +[azure-cli-install]: /cli/azure/install-azure-cli |
0 commit comments