-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding private endpoint + AFD example (#1401)
* moving templates directory, adding README * adding example Bicep for private endpoint and Azure Front Door --------- Co-authored-by: Simon Jakesch <[email protected]>
- Loading branch information
Showing
13 changed files
with
517 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Infrastructure as Code Templates for ACA | ||
| This directory contains infrastructure as code (IaC) templates for Azure | ||
| Container Apps (ACA). These templates are designed to demonstrate how to | ||
| configure individual functionalities in an automated manner. They are | ||
| intended as reference samples and are not meant for production use. | ||
|
|
||
| ## Overview | ||
| The templates in this repository showcase various configurations and setups | ||
| for ACA. Each template focuses on a specific aspect of ACA, providing a | ||
| clear and concise example of how to implement that functionality using IaC. | ||
|
|
||
| ## Usage | ||
| To use these templates, follow the instructions provided in each template's | ||
| README file. These templates are meant to be used as a starting point for | ||
| your own configurations. You can customize them to fit your specific requirements. | ||
|
|
||
| ## Disclaimer | ||
| Please note that these templates are for reference purposes only and are not | ||
| intended for production environments. They are provided "as-is" without any | ||
| warranties or guarantees. Use them at your own risk. | ||
|
|
||
| ## Contributions | ||
| We welcome contributions to improve and expand these templates. If you have | ||
| any suggestions or improvements, please feel free to submit a pull request. |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| # Bicep Deployment of ACA + Private Endpoint + Azure Front Door | ||
|
|
||
| These Bicep files automate the process outlined in these two articles: | ||
|
|
||
| * [Create a private link to an Azure Container App with Azure Front Door](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door) | ||
| * [Use a private endpoint with an Azure Container Apps environment](https://learn.microsoft.com/en-us/azure/container-apps/how-to-use-private-endpoint?pivots=azure-cli) | ||
|
|
||
|
|
||
| # Usage | ||
|
|
||
| ## Deployment | ||
|
|
||
| 1. Define some variables: | ||
|
|
||
| ```bash | ||
| export RESOURCE_GROUP="my-resource-group" | ||
| export LOCATION="centralus" | ||
| ``` | ||
|
|
||
|
|
||
| 2. Create a resource group of your choosing: | ||
|
|
||
| ```bash | ||
| az group create --location $LOCATION --name $RESOURCE_GROUP | ||
| ``` | ||
|
|
||
|
|
||
| 3. Deploy the Bicep | ||
| If you want to change any of the names for any of the deployed resources please edit the top of `main-mgd-net.bicep`. After you're satisfied we start the deployment. | ||
|
|
||
| ```bash | ||
| az deployment group create --resource-group $RESOURCE_GROUP --template-file main-mgd-net.bicep | ||
| ``` | ||
|
|
||
|
|
||
| ## Approving the Connection | ||
|
|
||
| As the last step you have to approve the private endpoint from AFD into ACA. This can be done by following first [listing your private endpoint](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door#list-private-endpoint-connections) connections, and then [approving them](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door#approve-the-private-endpoint-connection). | ||
|
|
||
| ```bash | ||
| export ENVIRONMENT_NAME=mycontainerappenv # assuming names are kept as they are in the Bicep file | ||
|
|
||
|
|
||
| az network private-endpoint-connection list \ | ||
| --name $ENVIRONMENT_NAME \ | ||
| --resource-group $RESOURCE_GROUP \ | ||
| --type Microsoft.App/managedEnvironments | ||
|
|
||
| # find the ACA side if the private endpoint, the one with managedEnvironments and privateEndpointConnections in the id | ||
| az network private-endpoint-connection approve --id <PRIVATE_ENDPOINT_CONNECTION_RESOURCE_ID> | ||
| ``` | ||
|
|
||
|
|
||
| # NOTES | ||
|
|
||
| * Not all warnings have been eliminated in this Bicep | ||
| * The connection approval is still manual, PRs welcome |
32 changes: 32 additions & 0 deletions
32
templates/bicep/privateEndpointFrontDoor/dns-a-record.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| param privateDnsZoneName string | ||
| param privateEndpointName string | ||
| param containerAppEnv object | ||
|
|
||
|
|
||
| resource existingPrivateZone 'Microsoft.Network/privateDnsZones@2024-06-01' existing = { | ||
| name: privateDnsZoneName | ||
| } | ||
|
|
||
| resource existingPrivateEndpoint 'Microsoft.Network/privateEndpoints@2021-08-01' existing = { | ||
| name: privateEndpointName | ||
| } | ||
|
|
||
|
|
||
| // use privateEndpoint.customDnsConfigs[0].ipAddresses[0] to get the private IP address | ||
| // aca envs default domain containerAppEnv.properties.defaultDomain | ||
| resource dnsRecordSet 'Microsoft.Network/privateDnsZones/A@2024-06-01' = { | ||
| parent: existingPrivateZone | ||
| name: containerAppEnv.properties.defaultDomain | ||
| location: 'global' | ||
| properties: { | ||
| ttl: 3600 | ||
| aRecords: [ | ||
| { | ||
| // we use the private endpoint IP from the subnet for our private DNS A record below | ||
| ipv4Address: existingPrivateEndpoint.properties.customDnsConfigs[0].ipAddresses[0] | ||
| } | ||
| ] | ||
| } | ||
|
|
||
| } | ||
|
|
Oops, something went wrong.