Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine Lab 7 & Lab 8 #114

Open
sonwan2020 opened this issue Oct 29, 2024 · 3 comments
Open

Refine Lab 7 & Lab 8 #114

sonwan2020 opened this issue Oct 29, 2024 · 3 comments

Comments

@sonwan2020
Copy link
Collaborator

sonwan2020 commented Oct 29, 2024
edited
Loading

Currently, the lab 7 can not run separately

lab 7 4. Internal ACA
when create the service connections between the apps and MySQL database, there will be errors prompt:

"message": "Execution failed. Attempt to get outboundIps: Failed to get IPs of source resource to set firewall rules, /subscriptions/6c933f90-8115-4392-90f2-7077c9fa5dbd/resourceGroups/rg-sonwan-vnet/providers/Microsoft.App/containerapps/customers-service.. Resource has internal VNet Configuration in environment."

At this moment, the connection between container apps and MySQL DB use public IP, but container app do not have outbound ip list

Even in MySQL, we allow public IP address and allow 0.0.0.0 - 255.255.255.255, this error persistent.

Lab 7 & Lab 8 are focus on security:
Lab 7: Protect endpoints using Web Application Firewall
Lab 8: Secure MySQL database and Key Vault using a Private Endpoint

For the above issues, we should use private endpoint together for "vnet internal" scenario.

Or we import private endpoint for database in a single lab:
For Lab 7: Secure MySQL database using private endpoint
-- build vnet internal container apps environment, and use private endpoint for database
For Lab 8: Protect endpoints using Web Application Firewall
-- in this lab we import kv for WAF and custom domain, and we use private endpoint for kv
@sonwan2020
Copy link
Collaborator Author

for container apps in vnet, no outbound ip property in app, so there is no direct way to tell what is the outbound ip.

internally:
For legion apps, the outbound ip list is the list of legion, long list
For non-legion apps, the outbound ip list is the AKS outbound ip list

More ref:

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

@sonwan2020
Copy link
Collaborator Author

For external components,

@allxiao
Copy link
Collaborator

allxiao commented Oct 29, 2024

Per discussed offline, this is more like to be a service connector command issue in ACA VNET environment, which needs to be fixed.

Let's not rush into heavy refactoring of Lab 7 and Lab 8, as this will require too much implementation effort in our team and the communication burden in external teams.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@allxiao @sonwan2020