Skip to content

Instantly share code, notes, and snippets.

@ninjarobot
Created November 26, 2019 16:17
Show Gist options
  • Save ninjarobot/7af26acb44d66a6608fd47babb98cac6 to your computer and use it in GitHub Desktop.
Save ninjarobot/7af26acb44d66a6608fd47babb98cac6 to your computer and use it in GitHub Desktop.
Azure Container with Managed Identity and Private Network
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vnetName": {
"type": "String",
"defaultValue": "priv-net"
},
"addressPrefix": {
"type": "String",
"defaultValue": "10.100.100.0/24"
},
"defaultSubnetName": {
"type": "String",
"defaultValue": "default"
},
"defaultSubnetAddressPrefix": {
"type": "String",
"defaultValue": "10.100.100.0/27"
},
"containerSubnetName": {
"type": "String",
"defaultValue": "container-subnet"
},
"containerSubnetAddressPrefix": {
"type": "String",
"defaultValue": "10.100.100.32/28"
},
"containerAddress": {
"type": "String",
"defaultValue": "10.100.100.36"
},
"enableDdosProtection": {
"type": "Bool",
"defaultValue": false
},
"identityName": {
"type": "string",
"defaultValue": "aci-hello-identity"
}
},
"variables": {
"vnetId": "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]",
"networkProfileName": "[concat('aci-network-profile-', parameters('vnetName'), '-', parameters('containerSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-04-01",
"name": "[parameters('vnetName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('addressPrefix')]"
]
},
"subnets": [
{
"name": "[parameters('defaultSubnetName')]",
"properties": {
"addressPrefix": "[parameters('defaultSubnetAddressPrefix')]",
"addressPrefixes": []
}
},
{
"name": "[parameters('containerSubnetName')]",
"properties": {
"addressPrefix": "[parameters('containerSubnetAddressPrefix')]",
"delegations": [
{
"name": "Microsoft.ContainerInstance/containerGroups",
"properties": {
"serviceName": "Microsoft.ContainerInstance/containerGroups"
}
}
],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"enableDdosProtection": "[parameters('enableDdosProtection')]"
}
},
{
"type": "Microsoft.Network/networkProfiles",
"apiVersion": "2019-09-01",
"name": "[variables('networkProfileName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
],
"properties": {
"containerNetworkInterfaceConfigurations": [
{
"name": "eth0",
"properties": {
"ipConfigurations": [
{
"name": "ipconfigprofile",
"properties": {
"subnet": {
"id": "[concat(variables('vnetId'), '/subnets/', parameters('containerSubnetName'))]"
}
}
}
]
}
}
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('identityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.ContainerInstance/containerGroups",
"apiVersion": "2018-10-01",
"name": "aci-hello-world-group-priv-vnet",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkProfiles', variables('networkProfileName'))]",
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityName'))]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities" : {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityName'))]": { }
}
},
"properties": {
"containers": [
{
"name": "aci-helloworld",
"properties": {
"image": "mcr.microsoft.com/azuredocs/aci-helloworld",
"ports": [
{
"protocol": "TCP",
"port": 80
}
],
"environmentVariables": [],
"resources": {
"requests": {
"memoryInGB": 1.5,
"cpu": 1
}
}
}
}
],
"restartPolicy": "Always",
"ipAddress": {
"ports": [
{
"protocol": "TCP",
"port": 80
}
],
"ip": "[parameters('containerAddress')]",
"type": "Private"
},
"osType": "Linux",
"networkProfile": {
"id": "[resourceId('Microsoft.Network/networkProfiles', variables('networkProfileName'))]"
}
}
}
]
}
@ninjarobot
Copy link
Author

Unfortunately the managed identity isn't really usable since this call never responds: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net%2F' -H Metadata:true -s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment