1

Running a SQL Server Azure Container Instance in a virtual network

Up until now Azure Container Instances only had one option to allow us to connect. That was assigning a public IP address that was directly exposed to the internet.

Not really great as exposing SQL Server on port 1433 to the internet is generally a bad idea: –

Now I know there’s a lot of debated about whether or not you should change the port that SQL is listening on to prevent this from happening. My personal opinion is, that if someone wants to get into your SQL instance, changing the port isn’t going to slow them down much. However, a port change will stop opportunistic hacks (such as the above).

But now we have another option. The ability to deploy a ACI within a virtual network in Azure! So let’s run through how to deploy.

First thing, I’m going to be using the azure-cli. Deploying to a virtual network is a new feature so you’ll need to upgrade to v2.0.46. On windows it’s pretty simple, go to here and download the .msi. If you’re on linux (or running in WSL) run:-

sudo apt-get update && sudo apt-get install --only-upgrade -y azure-cli

OK, now log in to azure: –

az login

Create a resource group (this is currently only supported in (westeurope & westus): –

az group create --name containers1 --location westeurope

Now create azure container instance!

az container create \
    --resource-group containers1 \
    --image mcr.microsoft.com/mssql/server:vNext-CTP2.0-ubuntu \
    --name testcontainer1 \
    --ports 1433 \
    --vnet-name aci_vnet1 \
    --vnet-address-prefix 10.0.0.0/16 \
    --subnet aci_subnet1 \
    --subnet-address-prefix 10.0.0.0/24 \
    --environment-variables ACCEPT_EULA=Y SA_PASSWORD=Testing1122

How simple is that? We don’t need to create the virtual network beforehand. It will be created for us. Also note, I’m using the new SQL 2019 running on Ubuntu image.

If you want to create the virtual network before hand, here’s how to do it. First create the virtual network: –

az network vnet create --resource-group containers1 --name aci_vnet1

And now create the subnet: –

az network vnet subnet create --resource-group container1 \ 
    --vnet-name aci_vnet1 --name aci_subnet1 \
        --address-prefix 10.0.0.0/24 \
          --delegation

Note the –delegation option. This is required for the subnet to be used for ACIs but once set, that subnet cannot be used for anything other than Azure Container Instances.

You can have a look at the delegation options by running: –

az network vnet subnet list-available-delegations --resource-group containers1

And now you can deploy an ACI: –

az container create \
    --resource-group containers1 \
    --image mcr.microsoft.com/mssql/server:vNext-CTP2.0-ubuntu \
    --name testcontainer1 \
    --ports 1433 \
    --vnet-name aci_vnet1 \
    --subnet aci_subnet1 \
    --environment-variables ACCEPT_EULA=Y SA_PASSWORD=Testing1122

To check that the container has been created successfully: –

az container show –name testcontainer1 –resource-group containers1

Once up and running the container will have an IP within the virtual network. So that means you’ll need another resource within the network (on a different subnet) in order to connect. I’ve been using a Ubuntu jump box with the mssql-cli installed.

Full code is in this gist

N.B. – There does seem to be an issue currently when trying to delete a subnet that has been delegated for ACIs. I’m speaking with MS about it and will update this post once it is resolved.

EDIT 2018-10-06 – The network resources have to be manually deleted. The scripts to do that are in this gist

Thanks for reading!