Up until now Azure Container Instances only had one option to allow us to connect. That was assigning a public IP address that was directly exposed to the internet.
Not really great as exposing SQL Server on port 1433 to the internet is generally a bad idea: –
Now I know there’s a lot of debated about whether or not you should change the port that SQL is listening on to prevent this from happening. My personal opinion is, that if someone wants to get into your SQL instance, changing the port isn’t going to slow them down much. However, a port change will stop opportunistic hacks (such as the above).
But now we have another option. The ability to deploy a ACI within a virtual network in Azure! So let’s run through how to deploy.
First thing, I’m going to be using the azure-cli. Deploying to a virtual network is a new feature so you’ll need to upgrade to v2.0.46. On windows it’s pretty simple, go to here and download the .msi. If you’re on linux (or running in WSL) run:-
sudo apt-get update && sudo apt-get install --only-upgrade -y azure-cli
OK, now log in to azure: –
Create a resource group (this is currently only supported in (westeurope & westus): –
az group create --name containers1 --location westeurope
Now create azure container instance!
az container create \ --resource-group containers1 \ --image mcr.microsoft.com/mssql/server:vNext-CTP2.0-ubuntu \ --name testcontainer1 \ --ports 1433 \ --vnet-name aci_vnet1 \ --vnet-address-prefix 10.0.0.0/16 \ --subnet aci_subnet1 \ --subnet-address-prefix 10.0.0.0/24 \ --environment-variables ACCEPT_EULA=Y SA_PASSWORD=Testing1122
How simple is that? We don’t need to create the virtual network beforehand. It will be created for us. Also note, I’m using the new SQL 2019 running on Ubuntu image.
If you want to create the virtual network before hand, here’s how to do it. First create the virtual network: –
az network vnet create --resource-group containers1 --name aci_vnet1
And now create the subnet: –
az network vnet subnet create --resource-group container1 \ --vnet-name aci_vnet1 --name aci_subnet1 \ --address-prefix 10.0.0.0/24 \ --delegation
Note the –delegation option. This is required for the subnet to be used for ACIs but once set, that subnet cannot be used for anything other than Azure Container Instances.
You can have a look at the delegation options by running: –
az network vnet subnet list-available-delegations --resource-group containers1
And now you can deploy an ACI: –
az container create \ --resource-group containers1 \ --image mcr.microsoft.com/mssql/server:vNext-CTP2.0-ubuntu \ --name testcontainer1 \ --ports 1433 \ --vnet-name aci_vnet1 \ --subnet aci_subnet1 \ --environment-variables ACCEPT_EULA=Y SA_PASSWORD=Testing1122
To check that the container has been created successfully: –
az container show –name testcontainer1 –resource-group containers1
Once up and running the container will have an IP within the virtual network. So that means you’ll need another resource within the network (on a different subnet) in order to connect. I’ve been using a Ubuntu jump box with the mssql-cli installed.
Full code is in this gist
N.B. – There does seem to be an issue currently when trying to delete a subnet that has been delegated for ACIs. I’m speaking with MS about it and will update this post once it is resolved.
EDIT 2018-10-06 – The network resources have to be manually deleted. The scripts to do that are in this gist
Thanks for reading!