I'd like to automate the deployment of a virtual network (that is peered with another network) and container instance connected to that network.
I'd just want to confirm that I'd do the correct steps. I'll be using Azure REST API.
Deploy a Virtual Network with a subnet
Create a Peering to the other virtual network
Create a Network Profile
Deploy the Container with the created network profile.
Step 3 is a bit weird for me because it's different than what I do in the Azure Portal. In the Portal, I just select the virtual network that I want my container to be connected to. Looking at MSDN Docs it seems to me that REST API requires me to create that Network Profile first. Am I right?
When you deploy an container using az container create the az cli will create the network profile for you in the background.
This might be why you might not have seen explicit creation of the network profile before.
A network profile is a network configuration template for Azure resources. It specifies certain network properties for the resource, for example, the subnet into which it should be deployed. When you first use the az container create command to deploy a container group to a subnet (and thus a virtual network), Azure creates a network profile for you. You can then use that network profile for future deployments to the subnet.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet#network-profile
You steps are looking good.
Related
I have created an API Manager Service (AMS) in Azure with its subnet.
I have created a Virtual Machine with Ubuntu that exposes some APIs on the port 8000. It has a public IP and an internal IP (10.0.1.5). This is the network configuration.
I don't want a public IP on this machine. What I want is that only the AMS speaks with the Virtual Machine to expose the API.
I can't find a way to create a private network (or external network in the AMS point of view) between the AMS and the virtual machine. In the network configuration of the virtual machine, the AMS subnet is not available.
In a normal network I would create a NAT between the 2 subnets but in Azure I don't know how to do it.
Do you have any advice?
Create a Virtual network first in some region . Then , while creating APIM services go to the Virtual network tab and select type as external instead of none and select the same Virtual network that you have created earlier.
Once the APIM service is deployed then create a VM and while creating the VM go to the networking tab and select the same virtual network that you have used in APIM but different subnet for the VM (as APIM and VM cannot use same subnet , it is not supported in azure) . You can add a new subnet in the same Vnet for using it in the VM by going to the VNet resource you have created and in Subnets page clicking on add subnet.
(Note : All the resources must be in same region)
After this configuration is done the resources can communicate which are present inside the VNet even if they have different subnets. As by default resources under the same vnet can communicate in azure.
I would like to create a simple architecture on Azure. My high level design is very similar to the picture below (source: https://www.import.io/post/using-amazon-lambda-and-api-gateway/)
I do want to access the internal services via the Azure API Management. What I can see on Microfos documentation page is that this simple and secure architecture is not mentioned as a reference:
https://learn.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough
I have the following issues:
API Management cannot be assigned to a Virtual Network if there is at least one NIC is using the same network (why?)
Even with peered Virtual Networks I cannot access 10.244.X.0/24 network (pods' network) because only 10.240.0.0/16 is owned by the k8s Virtual Network. How can I access cluster ips (10.0.0.0/16) and pod ips (10.244.0.0/16)?
Well, you don't need an Extra VNET, but just an extra Subnet. That Subnet could lie within your existing VNET. The Size of Subnet can be the smallest /29 which Azure supports.
The Extra Subnet requirement for API Management comes from the fact, that it is built on PAAS V1 (Classic) technology. While we can deploy into a Resource Manager VNET (V2 layer), there are consequences to that. The Classic deployment model in Azure are not tightly coupled with Resource Manager model and so if you create a resource in V2 stuff, the V1 doesn't know about it and problems can happen such as API Management trying to use an IP that is already allocated to a NIC (built on V2).
To learn more about difference of Classic and Resource Manager models in Azure refer to blog difference between Classic and ResourceManager models
The answer is basically YES although the setup is not trivial.
You need:
One extra VNet for the API Management (EDIT: an extra subnet is enough)
One service (kubernetes terminology)
Steps:
Peer the Kubernetes VNet and the extra VNet you have created (test it)
API Management -> Virtual network: change to External
Choose as Virtual Network the one extra VNet (lets call it 'apimgmntvnet') and a Subnet
Save it! Drink a beer because it took me 1h!
Meanwhile expose your deployment internally:
kubectl expose deployment app --port=<serviceport> --name=app --target-port=<containerport> --type=NodePort (NodePort is important!LoadBalancer type triggers kubernetes to dynamically configure the Azure External LB for Kubernetes install)
Check node IP:PORT on kubernetes (kubectl proxy) BUI
API Management -> Publisher portal: modify your API to the IP address (AgentIP:30361)
Theoretically it should work. It is advised to start with a VM in the apimgmntvnet and try peering first from the VM and than delete it (API Management cannot be part of a VNet where at least one NIC is present (?!) ).
I'm getting started using docker-machine on my Windows 2016 box. I'm trying to create some VMs in Azure but I have a particular network security group that I want for it to use and which already exists in Azure. I ran docker-machine create --driver azure and looked over the small help text which tells me how to set the resource group, subnet, etc but I don't see an option for network security group. Is there a way to specify an existing network security group for docker-machine to use when creating VMs in Azure?
Ok, so according to the documentation, you should use Subnet\VNet or Availability Set. The reason you are asking this is because you don't understand how NSG's work in Azure. NSG's are attached to a VNet or Subnet, so deploying a VM\Container into that Subnet\VNet will effectively attach that NSG to the entity you are deploying. But as the documentation states - "Once the machine is created, you can modify Network Security Group rules and open ports of the machine from the Azure Portal.".
So I suppose it creates a new NSG each time you deploy something, so there's no way to achieve that what you are trying (at least for now).
What you could try is deploy to an existing VNet and check if no new NSG are being created specifically for that container host which you are deploying. If that holds and you have an NSG in place, you've achieved what you want exactly.
Can you please describe the process on how services inside Service Fabric Cluster could communicate with the database servers present in our private datacenter?
Right now how we do for some of the custom VMs on Azure is that we attach network interfaces(NICs) to VMs and Nics are connected to the subnet which provides us cross premises connectivity.
Is there any way we could specify this when provisioning the Service Fabric Cluster?
Thanks!
What you describe is the preferred way - Have a VNET that is connected to your datacenter (either with S2S VPN or Express Route), and then you are free to access on-prem resources from your code as if you were operating inside the local network. You don't have to add NICs to your SF VMs, you can just modify the ARM template to provision all resources inside the designated VNET.
If you take a look at the sample template for SF, you can see the subnet0Ref variable which is being used to set the network profile of the NICs that are part of the newly created scale set.
You can modify the template to lookup your pre-existing subnet using the resourceid template expression function (documentation). The you can drop from the template all the other resources that you don't need created, like the VNET itself.
I am trying to create virtual machine (VM) in Azure using ARM templates. In classical model of IAAS, we can create a virtual machine without virtual network in cloud service. Similar to classical model i don't want to put VM in virtual network.
Does anyone tried to create vm without virtual network in Azure resource manager.
Thanks in advance.
V2Vms, i.e. Resource manager VMs have a dependency on a network card, which has a dependency on a subnet.
A VNet is used to provide DHCP and Security Group services to the VM. Without it a VM couldn't obtain an IP Address.
It is not possible to create an Azure VM without a vnet, in the same way that it was not possible to create a V1Vm without a cloud service.
For more information see Understanding Resource Manager deployment and classic deployment