I'm trying to create working solution with Swagger Ocelot API Gateway and deploy it on Azure as a hybrid of Azure App Service and Azure Container Instances.
Backend services are deployed to ACI, a service that runs containers. Docker images are stored and deployed to containers (Azure Container Registry).
Virtual Network is used to deploy our containers into with two subnet (one used for containers and the other one for gateway). The gateway is not deployed into this virtual network, but access to it via the gateway-subnet, which communicates with the backend-subnet.
Gateway is deployed as Azure App Linux Service, which communicates to our backend services via their private IPs by configuring the VNet Integration.
However, the App Service is not working. It gives an application error and in the log stream is the following:
at SwaggerOcelot.Gateway.Program.<>c.b__1_0(IConfigurationBuilder config) in \SwaggerOcelot.Gateway\Program.cs:line 17
2022-01-27T09:27:54.820243802Z at Microsoft.Extensions.Hosting.HostingHostBuilderExtensions.<>c__DisplayClass6_0.b__0(HostBuilderContext context, IConfigurationBuilder builder)
2022-01-27T09:27:54.820248402Z at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
2022-01-27T09:27:54.820257202Z at Microsoft.Extensions.Hosting.HostBuilder.Build()
2022-01-27T09:27:54.821977012Z at SwaggerOcelot.Gateway.Program.Main(String[] args) in SwaggerOcelot.Gateway\Program.cs:line 11
2022-01-27T09:28:05.940519859Z Could not open output /home/logs/dumps/coredump. 2 No such file or directory
I wonder whether the deployment process is not correct.
Related
I am using Azure App service to deploy my microservice, those are exposed via APIM consumption mode.
I have deployed 2 microservices in separate app service, traffic of only one app service is allowed from APIM, whereas other app service can be accessed by first app service. How can I achieve this, I am new to Azure.
APIM -> App service instance 1 -> App service instance 2
The Setup I have:-
Azure web app container on a private endpoint that also has Vnet integration.
private endpoint azure container registry.
A self hosted azure devops virtual machine for running build jobs.
The Github repos are linked to the azure devops account.
For this particular project, I am building and pushing the docker image to azure container registry and then deploying that image to the azure web app container. All of the components in the above system are on the same virtual network. I used this guide for the pipeline:-
https://learn.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux?view=azure-devops&tabs=yaml#deploy-with-azure-web-app-for-container
The problem:-
The pushing of image to the container registry works. But the azure web app container is not able to pull the container registry image over the private network. It tries to do it over the public internet which is disabled in registry firewall. Below is the error message I get:-
DockerApiException: Docker API responded with status code=InternalServerError,
response={"message":"Get https://xxxx.azurecr.io/v2/docker_file_path/manifests/19: denied: client with IP
'xx.xxx.132.231' is not allowed access. Refer https://aka.ms/acr/firewall to
grant access."}
The IP xx.xxx.132.231 is the public outbound IP of that azure web app so it's confirmed that it's tying to do so over the public internet.
What I found:-
I searched and found that another person had the exactly same error. The Microsoft team has been working on it since months but it still doesn't work yet.
https://learn.microsoft.com/en-us/answers/questions/280774/app-service-for-web-app-for-containers-container-r.html
Question:-
Is there any way I could make it work? Is there some other way of deployment for web app containers with private endpoint which can happen entirely over the virtual network? Thanks for reading.
Azure Container Apps Virtual Network Integration Announced 2022-02-02
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932
What are the advantages of using Azure App Service to deploy a docker application instead of Azure Container Instance?
I found out that Azure Container instances don't have any networking-related capabilities in terms of restricting app access. Are there any more advantages of using Azure App Service to deploy a container?
There are many advantages of using Azure app service over azure container instance
Azure app service is PAAS(platform as a service) on the other side azure container the instance is an IAAS(infrastructure as a service).
In azure app service directly integration of custom domain is available
Integration with the application gateway to handle the traffic load
It offers auto-scaling and high availability.
Automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model
Host background jobs(Web Jobs)
We have an Azure app service (web app) and a VM contain some infrastructure (database, queue...)
Can App Service access VM via internal IP ?
You need to integrate your app to the Vnet which your VM in. Follow the steps in this document Integrate your app with an Azure Virtual Network and then you can access the VM with your private IP.
We have got VMs on Azure and services are running in there.
We are trying to deploy our MVC Web application to Azure App service, which accesses some of the services from the VM using the private IPs but it can't connect to the service hosted on the VM using the private IP. We were assuming that all of our resources will be in the same network, can anyone help with this?
Thanks
Azure App service are having two kinds of hostings
Single Tenant (App Service Environment) which is dedicated to the customer
Multi tenant ( shareable across other customer subscription inside a data center scale unit)
If your application is hosted as multi tenant application meaning app service URL {WEbAppName}.Azurewebsites.net then its internet facing application and if it needs to connect to any VNET (Virtual Network) hosted service then it needs to integrate to any or same VNET.
How to do App service VNET Integration:
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration#regional-virtual-network-integration
Once the App service integrated with VNET then ideally it has connectivity with all the services present inside the same VNET or with peered VNET.
How to confirm connectivity from App Service to VNET hosted resource.
Go to App Services application => Advanced tools or console => perform below commands sequence wise as the HTTP communication happens through this sequence:
nslookup {Destination_FQDN} {Optional-DNSServer}/nameresolver {Destination_FQDN} {Optional-DNSServer}
tcpping {Destination FQDN}
curl -v {DestinationFQDN}
Common Scenarios:
If you're receiving connection refused it means its NSG is not allowing the communication.
If you're getting request time out it means it could be due to firewall or no proper routes to reach to destination.
If its connection abort it means its intermediate device is not passing connection through.
Troubleshoot connectivity issues using Azure Network Watcher: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-portal