Profile Applicability:
- Level 1
Description:
This check ensures that Azure Container Instances (ACI) are deployed within a private virtual network (VNet). By deploying container instances in a private VNet, you can isolate them from public internet traffic, enhancing security and ensuring that only authorized resources within the VNet can access the containers.
Rationale:
Deploying container instances in a private VNet prevents them from being exposed to the public internet. This is important for ensuring that sensitive workloads within the containers are not accessible from outside the VNet. It also allows you to leverage network security policies, such as private IP addressing, firewalls, and network security groups (NSGs), to secure the containers.
Impact:
Pros:
Provides enhanced security by ensuring container instances are not directly exposed to the internet.
Allows control over traffic flow to and from the containers using network security groups and other VNet controls.
Helps meet compliance and regulatory requirements for isolating workloads within private networks.
Cons:
Requires additional setup and configuration of VNets and networking rules.
May complicate connectivity for services that need to interact with container instances from outside the VNet.
Could introduce network complexity if not properly managed.
Default Value:
By default, Azure Container Instances are not deployed in a private virtual network. They are typically accessible via a public IP unless configured otherwise.
Pre-requisites:
Ensure that an Azure Virtual Network (VNet) is set up and that the necessary permissions to configure container instances within the VNet are in place. Ensure that any necessary network security policies (e.g., NSGs) are configured for controlling traffic to the container instances.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Container Instances blade.
Select the container instance you want to review.
Under the Networking section, verify that the container instance is connected to a Private Virtual Network.
Check that the VNet setting is configured to use private IPs and is not associated with a public IP.
Using Azure CLI:
To check if a container instance is deployed in a private VNet, run the following command:
az container show --resource-group <RESOURCE_GROUP_NAME> --name <CONTAINER_NAME> --query "networkProfile.id"
Ensure that the output shows the container is associated with a private VNet and does not have a public IP address.
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Container Instances and click Create.
In the Networking section, select Virtual Network and choose the VNet where the container instance should be deployed.
Ensure the Private IP option is selected and no public IP is assigned to the container.
Click Review + Create to deploy the container instance in the private VNet.
Using Azure CLI:
To deploy a container instance in a private VNet, run the following command:
az container create --resource-group <RESOURCE_GROUP_NAME> --name <CONTAINER_NAME> --image <IMAGE_NAME> --vnet <VNET_NAME> --subnet <SUBNET_NAME> --cpu 1 --memory 1.5
Ensure that the --vnet and --subnet options are specified to connect the container to a private VNet.
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Container Instances and select the container instance.
Under the Networking section, remove the container's association with the private VNet.
Optionally, assign a public IP if needed for external access.
Click Save to apply the changes.
Using Azure CLI:
To remove the container instance from the private VNet, you can either reconfigure it to use a public IP or delete the container instance:
az container update --resource-group <RESOURCE_GROUP_NAME> --name <CONTAINER_NAME> --public-ip-address
Alternatively, delete the container instance and recreate it with public IP settings:
az container delete --resource-group <RESOURCE_GROUP_NAME> --name <CONTAINER_NAME>