question

Moisslvarez-0222 avatar image
0 Votes"
Moisslvarez-0222 asked srbose-msft answered

Azure Container Instances doesn't retrieve client public ip

I have set up an Azure Container Instance with software that uses Single-Sign-On to access its services. It uses client public IP to prevent session hijack attacks and also to handle session tickets.

This feature is not working because the container instance receives all incoming client IPs masqueraded behind private IPs (10.x.x.x.). It also gets worst due to an internal load balancing (not set up from my side) that makes client IPs change from request to request, invalidating session tickets.

We tried to retrieve public client IP using the X-Forwarded-For header to overcome the probable proxy or internal load balancer; it didn't work.

So, there is a setup parameter or network configuration that makes the container instance retrieve client public IPs?



azure-container-instances
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

srbose-msft avatar image
0 Votes"
srbose-msft answered

@Moisslvarez-0222 , thank you for your question. Source IP preservation depends on the service exposing the container group on the underlying platform. Also as you mentioned, it does depend on the configuration and capabilities of the load balancer which in case of an Azure container group deployed with a virtual network is abstracted from the customer, at the time of writing.

Having said that, you can configure a single public IP address for outbound and inbound traffic to a container group.

Setting up a container group with an external-facing IP address allows external clients to use the IP address to access a container in the group.

The aforementioned article provides steps to configure a container group in a virtual network integrated with Azure Firewall. By setting up a user-defined route to the container group and firewall rules, you can route and identify traffic to and from the container group. Container group ingress and egress use the public IP address of the firewall. A single egress IP address can be used by multiple container groups deployed in the virtual network's subnet delegated to Azure Container Instances.

Thus, we can bypass policies on the underlying orchestration platform like externalTrafficPolicy which might SNAT inbound traffic with IP addresses internal to the orchestration platform's infrastructure. Azure Firewall will only perform a DNAT on inbound traffic, thereby preserving source Public IP address.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.