Private link support for Workload Profiles #867
Comments
microsoft-github-policy-service
bot
added
the
Needs: triage 🔍
torosent
added
roadmap
|
Any new information on this? It is needed for FrontDoor support with Consumption + Dedicated and internal vNet only |
|
Any estimates on when this will become available? |
|
Looking for a status update on this as well. I'm aiming to run Azure Container Apps behind an Azure Firewall with UDR's, which leaves me no choice but to use Workload Profiles (serverless only would be fine, but it doesn't support UDR's according to this doc). Workload profiles luckily also supports a serverless variation, but now I'm struggling on how to set up some form of inbound internet connectivity, ideally using Azure Frontdoor. The one guide from Microsoft which details on how to set this up assumes the exposed loadbalancer is called
|
|
Can we please get a update on this? |
|
Are there any new information on the progress to get PLS support to CA with internal LB? |
|
Can we get an update on this? This seems like basic functionality that's missing. |
|
I am wanting to migrate from consumption only to dedicated since I need:
I don't think there are plans for a migration from consumption only to dedicated? I am using front door for ingress to my consumption only plan, I cannot migrate due to lack of support for private links i.e. connecting front door where apis are on the same domain |
|
My customer has same problem. Any estimates ? |
|
+1 waiting for the implementation. |
|
I'd like to use workload profiles to have NAT gateway support, but then I can't have the environments private which is a big downside. |
|
Any update on when the fix will be ready for this? |
|
Is there an update or ETA? |
|
Also looking for an update |
|
Hi all can we get an eta for this? |
|
Hi folks, we are targeting end of Q2 CY2024 for this feature. |
|
This is the error we get when attempting to build one directly:
|
|
It's mid May, any update on this? |
|
We are ready for private preview, if you are interested in private preview, can you help to fill this form https://forms.office.com/r/fuhKa4UMy6 |
Would this be available for private preview in China also? |
|
Cargill Development Group:
fsdi-dev-unity <https://portal.azure.com/>:
a3cfee58-9860-4304-8f70-04e60a850479
fsdi-shared-services <https://portal.azure.com/>:
0c5f9978-efb7-42a1-a3d7-f2240c797607
fsdi-unity-prod <https://portal.azure.com/>:
50966e37-8361-4b25-a3d6-12cbed1fb293
fsdi-unity-stage-uat <https://portal.azure.com/>:
f9c39143-872d-4e2a-9a10-cd13d1612e3c
fsdi-unity-test <https://portal.azure.com/>:
29d150d3-e2c1-4864-8f1a-bc68d4685a54
https://ardeshir.io
***@***.***
https://github.com/ardeshir
***@***.***
https://www.linkedin.com/in/ardeshir
https://sepahsalar.substack.com/
…On Fri, May 31, 2024 at 8:27 AM Vincent He ***@***.***> wrote:
We are ready for private preview, if you are interested in private
preview, please send you subscription id to acasupport(at)microsoft(dot)com
and we can whitelist your sub for private preview.
Public preview still need some time.
—
Reply to this email directly, view it on GitHub
<#867 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAQCDR6TYVFENUUWAIB6C3ZFB3DBAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSGE3DKMJZG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
That is true, if you create a Container App Environment with My issue is primarily with ACA Envs with public IPs (i.e. The better option, if you ask me (and no one is : ]), is leaving the internet route intact even with a created private endpoint. That is, the FQDNs resolve to the actual public IP of the environment when called from the internet, but when the FQDNs resolve from a VNet, they will resolve to the private IP of the endpoint. This is similar to other private endpoint implementations. Example: the FQDN of an Azure Flex Postgres server will resolve to the private IP of a private endpoint when the DNS resolution call comes from inside a VNet, but will resolve to the public IP of the server when it comes from the internet. Then on the server itself you can configure firewall rules for the public IP, i.e. let in whatever you want from the public, while private access is handled by the private endpoint. Container Apps themselves have IP restriction rules, which might be used similarly as a Postgres Flex server firewall rule. |
|
"But in such Container App Environments, you mostly don't really have a need to create a private endpoint."
I do if I want to use Azure Front Door.
This was my use case for a private endpoint, as my environments must have properties.vnetConfiguration.internal set as true.
I've been using Application Gateway as interim hops.
For my case, this is all working as expected
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: NemSimpraga ***@***.***>
Sent: Saturday, June 15, 2024 1:36:22 PM
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
Doesn't this depend on how you created the Container App Environment? Do you have a Workload Profile with ingress set to internal only? Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
…
________________________________ From: Nemanja Simpraga @.> Sent: Friday, June 14, 2024 5:47:00 PM To: microsoft/azure-container-apps @.> Cc: Jack Caplin @.>; Comment @.> Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867<#867>) NOTICE! This email was sent from outside Paxton. Please do not click links or open attachments unless you recognise the sender and know the content is safe. I have been playing with this functionality, and I have to say there are some very weird points to consider about the implementation around this feature. Primarily, how the public availability of the application is influenced by the creation of a private endpoint. Example: * Created a private endpoint in my VNet for my Container App Environment * Connected via VNet Gateway into the same VNet where the private endpoint is * I can see that when calling the FQDN of my Container App deployed to that Environment, it resolves to the private IP of my environment's private endpoint and I can successfully connect to my application * When not connected to the VPN, the FQDN of my Container App resolves to a random Azure public IP * importantly, not the actual public IP of the deployed Container App Environment! * this means my application is not available by resolving its FQDN, if I am not connected to my VPN (and configured private DNS resolution) Here's the kicker: I can still reach the Container App over the public IP of the Container App environment! All I have to do is issue an HTTP request directly to the public IP (not the FQDN) of the Container App while setting the "Host" header to the FQDN of my deployed Container App, and I will be able to successfully reach the Container App. This seems like a very weird setup as the application is not completely private (which we can see from the fact that it's available over its public IP), but it is also not available over the public internet when trying to resolve its actual FQDN. What I expected to get after creating a private endpoint for the Container App Environment: * a way into the Container Apps of the Environment via the private network the private endpoint is in * by default, the Container Apps would stay publically available over their FQDN if the access was not specifically restricted to a private IP range via the Container Apps ingress IP restriction What we get is a partial solution: public access is restricted only on the DNS level for the Container Apps since their FQDNs won't resolve to the public IP of the Container App Environment. But, crucially, they will stay available by directly accessing the public IP with a properly set "Host" header. This does not make sense if you ask me, hope it helps in figuring our which direction this feature needs to go. — Reply to this email directly, view it on GitHub<#867 (comment)<#867 (comment)>>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A2AWLZQZBZDXCUNGZERXMOTZHMNAJAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRYGQYTCMRXHA. You are receiving this because you commented.Message ID: @.> Jack Caplin Chief IT Architect [https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature Phone: 01273 811011 Mobile: 07534563400 Web: www.paxton-access.com<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature<http://www.paxton-access.com%3Chttps://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>> Email: @.@.> Paxton House, Brighton, BN1 9HU Find us on the maphttps://goo.gl/maps/9vNLzgN1qR1zNg9A9 [https://public.paxton-access.co.uk/public/emailfooterimages/image002.png] https://www.facebook.com/PaxtonAccessLtd/ [https://public.paxton-access.co.uk/public/emailfooterimages/image003.png] https://www.linkedin.com/company/paxton-access-ltd/ [https://public.paxton-access.co.uk/public/emailfooterimages/image004.png] https://twitter.com/paxtonaccess [https://public.paxton-access.co.uk/public/emailfooterimages/image005.png] @./> [https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour
That is true, if you create a Container App Environment with properties.vnetConfiguration.internal as true, the L4 LB you get with the environment has a private IP, and there's no way to reach it directly from the public. But in such Container App Environments, you mostly don't really have a need to create a private endpoint. Perhaps to expose your Container Apps privately to VNets other than the one you integrated the Container App Environment with.
My issue is primarily with ACA Envs with public IPs (i.e. properties.vnetConfiguration.internal = false). If creating a private endpoint will make the FQDNs non-routable publically, then the public IP should not accept internet traffic at all, not let in traffic if someone is pointing calls to the public IP of you environment directly.
The better option, if you ask me (and no one is : ]), is leaving the internet route intact even with a created private endpoint. That is, the FQDNs resolve to the actual public IP of the environment when called from the internet, but when the FQDNs resolve from a VNet, they will resolve to the private IP of the endpoint. This is similar to other private endpoint implementations.
Example: the FQDN of a Flex Postgres server will resolve to the private IP of a private endpoint when the DNS resolution call comes from inside a VNet, but will resolve to the public IP of the server when it comes from the internet. Then on the server itself you can configure firewall rules for the public IP, i.e. let in whatever you want from the public, while private access is handled by the private endpoint.
Container Apps themselves have IP restriction rules, which might be used similarly as a Postgres Flex server firewall rule.
—
Reply to this email directly, view it on GitHub<#867 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2AWLZVT7H267LFYI2FCVXDZHQYMNAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRZGQ4DSMRRHE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
But if you're using AppGw for interim hops between Front Door and your internal Container App environment, then you don't need the private endpoint. You just put your AppGw in the same VNet as your Container App Environment and route traffic to its IP, which is already private anyways. Only if your AppGw is integrated into a VNet other than the one your Container App Environment is, private endpoint becomes useful. Which is what I meant by:
|
|
But with the private endpoints, I no longer need the app gateways. Until private endpoint support for workload profiles, they were the only method (apart from app proxies) to integrate front door.
I have now removed the app gateways. One per region. Less infrastructure to maintain and less cost.
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Nemanja Simpraga ***@***.***>
Sent: Saturday, June 15, 2024 3:12:58 PM
To: microsoft/azure-container-apps ***@***.***>
Cc: Jack Caplin ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-container-apps] Private link support for Workload Profiles (Issue #867)
NOTICE! This email was sent from outside Paxton.
Please do not click links or open attachments unless you recognise the sender and know the content is safe.
I've been using Application Gateway as interim hops.
But if you're using AppGw for interim hops between Front Door and your internal Container App environment, then you don't need the private endpoint. You just put your AppGw in the same VNet as your Container App Environment and route traffic to its IP, which is already private anyways.
Only if your AppGw is integrated into a VNet other than the one your Container App Environment is, private endpoint becomes useful. Which is what I meant by:
Perhaps to expose your Container Apps privately to VNets other than the one you integrated the Container App Environment with.
—
Reply to this email directly, view it on GitHub<#867 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2AWLZVCW2RDTJRALDPRICLZHRDWVAVCNFSM6AAAAAA3KJBMG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRZG4ZTMMZSG4>.
You are receiving this because you commented.Message ID: ***@***.***>
Jack Caplin
Chief IT Architect
[https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Phone: 01273 811011
Mobile: 07534563400
Web: www.paxton-access.com<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature>
Email: ***@***.******@***.***>
Paxton House, Brighton, BN1 9HU
Find us on the map<https://goo.gl/maps/9vNLzgN1qR1zNg9A9>
[https://public.paxton-access.co.uk/public/emailfooterimages/image002.png] <https://www.facebook.com/PaxtonAccessLtd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image003.png] <https://www.linkedin.com/company/paxton-access-ltd/> [https://public.paxton-access.co.uk/public/emailfooterimages/image004.png] <https://twitter.com/paxtonaccess> [https://public.paxton-access.co.uk/public/emailfooterimages/image005.png] ***@***.***/>
[https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]<https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour>
|
Really? I am really curious how you send traffic from Front Door to the private endpoint directly. You usually do it via Private Link Service and the Container App's L4 load balancer with a non IP-based backend pool, which is only applicable for Consumption-only environments. Workload profiles still have the IP-based backend pool L4 LB, so I don't understand how a private endpoint helps overcome this issue? |
Any updates? |
|
We've been enabled for the preview and I can confirm that this does let you create a private endpoint attached to the container app environment (so you don't have to create a private link service on the internal load balancer). However there is still the missing piece that Front Door does not support adding a private link origin attached to the container app environment, which I think is what most people here are after. @chinadragon0515 - is Front Door going to be updated with origin support for direct private endpoint connectivity to a container app environment? |
|
|
Any update from the Azure Front Door team? |
|
Also requesting an update on this, as my team in the process of migrating a public consumption aca environment to an internal workload profile aca environment and want to expose the container app to the internet through AFD + PLS. |
|
Tentatively aiming for this to become available by the end of the year. |
@chinadragon0515 I understand that coordinating work with the Front Door teams makes it difficult to give an estimation on the issues above but is there anything you can share? Is there actively being worked on? |
|
Any possibility of getting this implemented in the mean time? Seems like a low hanging fruit while waiting for proper FD -> container app over private link. #120 |
|
Any updates about private links? |
|
Are there any updates on the progress of this feature? It would be great to understand when we can expect to leverage this in our environments. |
|
We are in the same boat. We need both UDR and Front Door / private link support. Neither the Consumption-only (v1) nor the Workload Profile (v2) environment types support both features. Are there any updates that can be shared? |
v1 has support for Private Links. That's how we are using it now. But the downside is that you cannot create any v1 Container Envs via the portal anymore (it's possible in bicep/cli), it's only WP enabled ones. |
Yes but v1 does not support UDRs. We're looking for an environment type that supports both UDRs and Front Door / private link. We in fact did use UDRs with v1 (before v2 environment types were even generally available) because unofficially they do work, but got told by Microsoft support that this is not a supported scenario and that our v1 environments can break at any time if we use them. |
|
Any considerations for enterprise DNS integration? We have had to do an ugly workaround to ensure all our clients can resolve the domain name of the container apps environment. Ideally this solution will be compatible: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale Today, we have a DINE policy which provisions an Azure container app Private DNS zone for each container app environment; and then a policy which finds any Private DNS zones which are named for container apps, and does a deployIfNotExists to link the private DNS zone to our name servers vNet. |
|
@rybal06 we implemented something like https://dev.to/kaiwalter/private-linking-and-port-forwarding-to-non-azure-resources-5h0f to forward DNS requests to our corp DNS. @syneex is currently evaluating whether Azure Private DNS Resolver can replace the VMSS based DNS forwarding. |
|
@rybal06 we are successfully using the Azure Private DNS Resolver to forward internal domains to our corporate DNS (Outbound Endpoint). I think for your case, the inbound endpoint of Azure Private DNS Resolver would be suitable as they are intended for the ingress to Azure -> Inbound Endpoints. For that to work, you need to provide the Private DNS Zone for the respective container apps environment anyways... |
|
My last comment was not clear enough - my question was mostly about whether Microsoft's pattern for "private link and dns integration at scale" will be tested and supported with Azure container apps once private endpoint support becomes GA. Essentially, whenever any team deploys a private endpoint; using a DeployIfNotExists policy; we evaluate the group ID parameter and parent resource type via policy and automatically link the private endpoint to the appropriate centralized DNS zone in our tenant. The reasons for this?
If I could have a centralized DNS zone in my tenant for privatelink.<REGION_NAME>.azurecontainerapps.io; and an azure policy to detect any private endpoints which are not linked to it, using DeployIfNotExists; assuming the groupID (aka sub resource name) is given on the private endpoint; this solution should work. I have some doubts though because Azure Container Apps uses wildcard(*) DNS records per container app environment rather than A records and have not tested it yet. Today, my workload teams have to care about DNS when using container apps. They must provision a unique private DNS zone matching the azure-assigned domain name of the container app environment and create the wildcard DNS A record. Our policy detects any *.<REGION_NAME>.azurecontainerapps.io private dns zones and links them automatically to our name server vNET. The problem with this is that there is less validation of the individual A records because it's a decentralized zone that each workload team can modify; and removal of those private dns zones by workload teams fail because they do not have permissions to remove the vNET link from per container app environment private DNS zone. I cannot give each workload team this permission to centralized components. This would be solved if private endpoints for container app environments works with this pattern: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale |
![https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature](https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature){kind=link}
![https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour](https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour){kind=link}
![https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature](https://public.paxton-access.co.uk/public/emailfooterimages/image001.png]<https://www.paxton-access.com/?utm_source=staff-signature&utm_medium=email&utm_campaign=staff-signature){kind=link}
![https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]<https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour](https://www.paxton-access.com/wp-content/uploads/2024/04/Tech-Tour-2024-%E2%80%93-Email-Signature-1.png]<https://www.paxton-access.com/tech-tour/?utm_source=emailsig&utm_medium=email&utm_campaign=techtour&utm_id=techtour){kind=link}
|
Hi folks, we're excited to share that we now have public preview of private endpoint support for workload profile environments. We are also supporting private link integration with Azure Front Door in the preview (Currently, adding ACA as a private origin for AFD is available through only the CLI with portal support in progress). For more information, please visit the: Please let us know if you have any feedback or run into any issues. Thank you! |
|
@cachai2 exciting, is this only supported for premium front door (the one that costs 10x more than standard)? |
|
Hi @onionhammer, yes. Azure Front Door only supports connecting to origins through private link for its premium offering. If in the future Azure Front Door enables connecting to origins through private link for standard, we will most likely look to enable that as well. Here is a link to the Azure Front Door docs where they detail the Azure Front Door Premium requirement. |
|
That's disappointing that this security feature isn't emphasized at Microsoft and supported for standard tier Front Door. Even though we would probably utilize this in production, I don't want to waste money using this on our non-production environments, so we will have to support two entirely separate code-paths. Also this doesn't appear to be configurable via bicep/ARM, so enabling it is still a pain. |
Is there any Bicep / IaC templates available for this? |
and others
We are working on Azure Front Door support for this next
The text was updated successfully, but these errors were encountered: