Is there built-in support for enabling SSL on Azure Container Instances? If not, can we hook up to SSL providers like Lets Encrypt?
Is there built-in support for enabling SSL on Azure Container Instances?
Asked Answered
There is nothing built-in today. You need to load the certs into the container and terminate SSL there. Soon, we will enable support for ACI containers to join an Azure virtual network, at which point you could front your containers with Azure Application Gateway and terminate SSL there.
Any timeline on this? I assume we'll also be-able to restrict access to public ip addresses from outside the virtual network once this is available? –
Stemma
We're bringing in custom VNET support this fall 2018. This will enable setting up an app gateway to terminate SSL as Sean mentions, you will also be able to restrict communication from outside the VNET as the ACI resources will be able to be assigned to a delegated subnet. –
Phelan
We also have a great sidecar tutorial here that shows how to setup SSL termination with a multi-container group supported by Linux on ACI today. medium.com/@samkreter/… –
Phelan
@Phelan how can I use your tutorial to manage multiple apps(in different ports) with one nginx instance? –
Stratiform
Hi, I see now there is a support to add ACI container in Virtual Network. When we add ACI container in Virtual Network then it will have private IP Address and not FQDN. That means Azure Application Gateway needs to be configured to use static IP address of ACI instance. I have a doubt if my ACI Instance IP address will get changed when ACI Instance is restarted due to some reason. That will break the frotnend. –
Unbeliever
What about windows containers? side loading is not possible and joining a virtual network is also not possible. –
Airport
As said above, no support today for built-in SSL when using ACI. I'm using Azure Application Gateway to publish my container endpoint using the HTTP-to-HTTPS bridge. This way, App Gateway needs a regular HTTPS cert (and you can use whichever model works best for you as long as you can introduce a .PFX file during provisioning or later during configuratiorn) and it will then use HTTP to talk to your (internally facing) ACI-based container. This approach becomes more secure if you bind your ACI-based container to a VNET and restrict traffic from elsewhere.
To use SSL within the ACI-container you'd need to introduce your certification while provisioning the container, and then somehow automate certificate expiration and renewal. As this is not supported in a reasonable way, I chose to use the App Gateway to resolve this. You could also use API Management but that is obviously slightly more expensive and introduces a lot more moving parts.
I blogged about this configuration here and the repo with provisioning scripts is here.
Hi Jussi, are you saying that you can pair Application Gateway (including SSL cert) with an internally-facing ACI-based container without using a VNET? I'm trying to introduce SSL to an ACI-based Windows container, but a number of key features like container group deployment into a virtual network are not yet supported for Windows containers. –
Syne
You can add SSL support at the API Gateway and simply configure the underlying API over HTTP.
You will need the secrete key to execute above api method!
You can access the underlying API hosted at the Azure Container Instance. This method does not require jwt token as this is a demo api.
The first link in this answer is no longer working (there is an issue with the Azure subscription. Plus, I'm not sure this actually answered the question of "how" you would do any of this. –
Timothy
© 2022 - 2024 — McMap. All rights reserved.