There are 100 external domains are pointing to my existing application. We're planning to migrate to Azure App service. In this case, we have to request all domain users to point to our new app service. It involved lot of coordination and takes time.
In future(may after 2 years), we've a plan to deploy solution to another app service or azure VM, then we've to repeat the same process of requesting external domain owner to point to new deployment environment.
Currently we're thinking below two solutions. Could you please suggest on those.
First, create a public static IP address, and request all external domains to point to this IP address.
Solution 1:
Attach this IP address to Azure VM which is very lower capacity and use this server as redirecting url where ever you deploy the solution, it may be Azure app service.
Solution 2:
Is it possible to attach public static IP address to Azure app service? I know app service is not an IaaS service to control on infrastructure. I went through some of article to set static IP address to app service. But that is different that what I required.
Please also suggest if you've any other better solution.
Regards,
Venkat
For solution1, It's easy to set the static public IP for an Azure VM. But it might lack redundancy. All of the services rely on the only one Azure VM.
I will suggest Solution2, Azure app services run in the same App service plan which shared the compute resources and VM instances are available to you for scale-out. You can flexibly adjust the app service plan according to your need. Generally, the Azure web app service IP addresses change when you perform one of the following actions:
Delete an app and recreate it in a different resource group. Delete
the last app in a resource group and region combination and recreate
it. Delete an existing SSL binding, such as during certificate renewal
(see Renew certificates).
The Azure web app service IP address does not change, this looks like "static" unless you do the above actions and change to a free tier. Sometimes, if you want a dedicated, static IP address for your app. You need to configure an IP-based SSL binding.
Ref: How to get a static IP address for your Windows App Service Web App
Nancy, thanks for your suggestion. It helps me to finalize solution.
Three solutions we identified for this scenario. We chose 3rd solution.
Use static IP for azure app service and wanted to migrate after a year or two you would have to inform every external domain owner to change their endpoint to a different environment.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal#understand-cname-and-a-records
A CNAME may be a better alternative since it maps to a specific domain and will resolve to the ip address of your app automatically so if your cloud services changes you will not have to take any action.
Create a public static IP address, request every external domain owners to point to this IP address. Next, create a Azure VM with low capacity (B1ms) and attach the public static IP address to this VM. Then use this VM as reverse proxy, currently it may point to existing Azure app service, in future, wherever new environment will be, I will redirect to that environment. In future, public static IP address can also attach to load balancer or any other azure VM.
I did it like this:
Create a Virtual Network
Create NAT Gateway
Create Public IP Create
SubNets for each App
Attach SubNets to VN
Use NAT In SubNets
Enable vnetRouteAllEnabled for each App
Bicep for the network part:
param location string = resourceGroup().location
var appOne = 'app-one'
var appTwo = 'app-two'
resource publicIp 'Microsoft.Network/publicIPAddresses#2021-05-01' = {
name: 'public-ip-name'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAddressVersion: 'IPv4'
publicIPAllocationMethod: 'Static'
idleTimeoutInMinutes: 4
}
}
resource natgateway 'Microsoft.Network/natGateways#2021-05-01' = {
name: 'natgateway-name'
location: location
sku: {
name: 'Standard'
}
properties: {
idleTimeoutInMinutes: 4
publicIpAddresses: [
{
id: publicIp.id
}
]
}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks#2021-05-01' = {
name: 'virtualNetwork'
location: location
properties: {
addressSpace: {
addressPrefixes: [
'192.168.0.0/16'
]
}
subnets: [
{
name: 'subnet-for-${appOne}'
properties: {
addressPrefix: '192.168.0.0/24'
natGateway: {
id: natgateway.id
}
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.Web/serverfarms'
}
}
]
}
}
{
name: 'subnet-for-${appTwo}'
properties: {
addressPrefix: '192.168.1.0/24'
natGateway: {
id: natgateway.id
}
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.Web/serverfarms'
}
}
]
}
}
]
}
}
resource prodcutsToSubnet 'Microsoft.Web/sites/networkConfig#2022-03-01' = {
name: '${appOne}/virtualNetwork'
properties: {
subnetResourceId: virtualNetwork.properties.subnets[0].id
swiftSupported: true
}
}
resource webhooksToSubnet 'Microsoft.Web/sites/networkConfig#2022-03-01' = {
name: '${appTwo}/virtualNetwork'
properties: {
subnetResourceId: virtualNetwork.properties.subnets[1].id
swiftSupported: true
}
}
Related
I've the following scenario:
There's a VNET which has a few services (Azure Container Apps + Azure Functions) which are internal services (do not acccept any external traffic). This VNET is connected to On-Prem using ExpressRoute. There's a service (API) hosted On-Prem, which we want to call from ContainerApps/Functions that is only accessible internally. This service is behind firewall. The administrators of this On-Prem service wants us to provide the private IP(s) of the services which will call the On-Prem service - the important part is that we want this IP(s) to be static, so we do not need to change any firewall settings frequently. As far as I know, there's no way to control the private IP of neither ContainerApp nor Azure Function. I've considered Azure NAT Gateway, but it seems to be only working with public IP(s).
Are there any other alternatives ?
Looking at the latest specification (api-version=2022-06-01-preview), it supposed to be possible.
In the vnetConfiguration block, you can specify the outbound type and the virtual applicance IP:
vnetConfiguration: {
...
outboundSettings: {
outBoundType: 'UserDefinedRouting'
virtualNetworkApplianceIp: 'X.X.X.X'
}
}
This required a Premium sku:
sku: {
name: 'Premium'
}
Found also this interesting article about locking down the VNET:
Lock down VNET with Network Security Groups and Firewall
We have an Azure Container Instance which holds a container for RabbitMQ. The IP address of the container keeps changing, which makes the rabbitmq server unreachable. Is there a way to make this static? do we need to add a DNS on top of the IP address if this can be made static?
As pointed out by #evidalpe, you can't assign a static IP address to a container instance. However, you can easily assign a static/predictable DNS name using dnsNameLabel. I find this much more convenient than using the IP address.
Example:
customdnslabel.westeurope.azurecontainer.io
You can set the DNS name label when creating the container instance, and also update the label for an existing instance. You cannot edit it using the portal, but it is shown as "FQDN" afterwards.
Azure CLI Example - Works for create and update. Azure CLI can also be executed using the Cloud Shell.
az container create -g myresourcegroup -n mycontainerinstancename --dns-name-label customdnslabel --image rabbitmq
Bicep Template:
resource mycontainerinstance 'Microsoft.ContainerInstance/containerGroups#2021-03-01' = {
name: 'mycontainerinstancename'
location: location
properties: {
osType: 'Linux'
restartPolicy: 'Always'
ipAddress: {
dnsNameLabel: 'customdnslabel'
type: 'Public'
ports: [
// ...
]
}
containers: [
{
name: 'mycontainer'
properties: {
image: image
resources: {
requests: {
cpu: cpus
memoryInGB: memory
}
}
ports: [
// ...
]
}
}
]
This is a known issue and several solutions have been proposed so far:
Static IP address for Azure Container Intances
Attaching a static ip address to Azure Container Instance
Another solution is setting up an Azure function that periodically checks the Container Instance IP, and when it changes, the function updates the Server IP accordingly.
A container orchestration system like Kubernetes could help overcoming the issue as well.
We are trying to deploy Microservices in AKS cluster and use Azure API Management as API Gateway. In order to prevent direct access to backend Microservices, planning to have both API Management and AKS part of a single VNet and force all API calls to be routed through API Management.
Following are the steps done to provision the services:
Create a new Virtual Network with Subnet configuration in Azure
Created Network Security Group and configured all required.
inbound/outbound port rules exclusions.
Configured Azure API Management in "external" networking mode, and completed steps as given in https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet, by enabling "External" mode in Azure API Management and linked the newly created Virtual Network and Subnet in Networking section.
Created new AKS Cluster in the same Virtual Network and Since we plan to
use Istio as Service Mesh, created a new Istio Ingress Gateway with
below configuration to provision a new Azure Load Balancer to accept
requests on the Internal IP routed by API Management (Note the
inclusion of annotations to create a new Internal IP based Azure
Load Balancer):
apiVersion: v1
kind: Service
metadata:
name: istio-internal-ingressgateway
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
namespace: poc
spec:
type: LoadBalancer
selector:
istio: internal-ingressgateway
ports:
- port: 80
name: http
- port: 443
name: https
With the above setup completed, all backend API calls from API Management routed through the internal IP (through Azure Load Balancer) works as expected. As given in the below screenshot, calls made to http://10.228.80.227/api/k8s/GetClientIP does return with HTTP 200 (expected result).
Question:
Instead of using an interal IP (10.228.80.227, in this case), is there a way to define a (Private) DNS for the IP and make it resolve from API Management? For example, define a DNS alias entry for 10.228.80.227 as "api.contoso.com" and use http://api.contoso.com/api/k8s/GetClientIP and still make it resolve from API Management.
Based on some research tried the following but couldn't make it work all the way:
Provisioned a new Azure Private DNS Zone and configured the "Virtual network links" to point to the same Virtual Network.
Added a new "A" record set in the Private DNS Zone for 10.228.80.227 and api.contoso.com.
Updated the API Management to use the FQDN instead of IP in Settings:
As a final step, Initiated the Test from API Management but ended up with the following HTTP 500 error:
Looking into the Trace, got the following error that indicates that calls from API Management failed at DNS resolution:
forward-request (68.296 ms)
{
"messages": [
"Error occured while calling backend service.",
"The remote name could not be resolved: 'x3api.jha.com'"
] }
Note: All required host entries in Istio Ingress Gateway are added for new host to allow traffic routing and the service itself runs fine when accessed from within the POD/cluster using CURL.
Can someone throw light if any steps are being missed to make the DNS resolution work from API Management?
On an Azure VM when querying for metadata, the publicIpAddress has no value even though the machine as a public IP.
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2019-11-01"
returns an empty string for publicIpAddress
{
"compute": {
// ... Omitted for brevity
},
"network": {
"interface": [
{
"ipv4": {
"ipAddress": [
{
"privateIpAddress": "10.3.0.4",
"publicIpAddress": ""
}
],
// ... Rest has been omitted for brevity
Does anyone know why? I checked https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service, but couldn't find any reason for the public IP address not to show up
I believe your public IP address is Standard SKU instead of Basic SKU, which does not support instance metadata service.
From MSDN:
Only Public IP addresses with basic SKU are available when using instance metadata service IMDS. Standard SKU is not supported.
This GitHub Issue also has more information.
I've also tested this with both basic and standard SKU public IP addresses, and standard SKU will give you "publicIpAddress":"" when querying the instance metadata instance API.
Solution
To be able to use the instance metadata service, you need to use a Basic SKU public IP address. You cannot change the SKU once a public IP address is created, as highlighted in MSDN.
Instead, you could first disassociate your Standard SKU public IP address instance from your virtual machine network interface, create a new public IP address with Basic SKU, then associate this public IP address with your virtual machine network interface. This is required since a network interface can only have one public IP address associated to it.
Checking Public IP Address SKU
You can run Get-AzPublicIpAddress from Azure PowerShell command to check your public address SKU:
(Get-AzPublicIpAddress -Name "PUBLIC-IP-NAME" -ResourceGroupName "RESOURCE-GROUP").Sku.Name
Or using az network public-ip show from Azure CLI if you prefer:
az network public-ip show -n "PUBLIC-IP-NAME" -g "RESOURCE-GROUP" --query "sku.name"
Or just check via Azure portal by navigating to your public IP address instance.
I want to get the DNS Name in azure Virtual Machines - List All api in nodejs.
Please help me.
I checked this url Virtual Machines - List All
But DNS Name not availble in the response.
If you want to get the FQDN for Azure VMs in the Azure portal. When you create a virtual machine (VM) in the Azure portal, a public IP resource for the virtual machine is automatically created. The FQDN actually is attached to the public IP resource for external accessing. So you will look for the public IP for the DNS name.
You can look up the API Public IP Addresses - List All
"dnsSettings": {
"domainNameLabel": "testlbl",
"fqdn": "testlbl.westus.cloudapp.azure.com"
},