CODEWITHSUNDEEP
azureterraformazure-container-instancesazure-mysql-database
mikebridge
mikebridge

Reputation: 4585

How to configure firewall between Azure Container Instance and Azure MySql automatically in Terraform?

I have a terraformed Azure MySQL instance and a WordPress docker instance running in an Azure Container Instance. Both come up fine, but I can't see a way to automatically allow access from the container instance to MySQL because 1) the traffic is not coming through the external IP address, and 2) I don't know where the actual IP address is being created, and 3) I can't see a way to determine what the IP address is.

resource "azurerm_container_group" "wp-container-group" {
   name                = var.container_group_name
   location            = azurerm_resource_group.wordpress-resource-group.location
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   ip_address_type     = "public"
   dns_name_label      = var.dns_label
   os_type             = "Linux"

   container {
      name   = "wordpress"
      image  = "wordpress:latest"
      ...
   }
   ...
}


resource "azurerm_mysql_server" "wordpress_mysql" {
   name                = "foo-bar"
   location            = azurerm_resource_group.wordpress-resource-group.location
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name

   ....
}


resource "azurerm_mysql_database" "wp-db" {
   name                = "wordpress"
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   server_name         = azurerm_mysql_server.wordpress_mysql.name
   charset             = "utf8"
   collation           = "utf8_general_ci"
}

This is set to allow traffic from the external IP address:

resource "azurerm_mysql_firewall_rule" "allow_container" {
   name                = "allow_wordpress_container"
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   server_name         = azurerm_mysql_server.wordpress_mysql.name
   start_ip_address    = azurerm_container_group.wp-container-group.ip_address
   end_ip_address      = azurerm_container_group.wp-container-group.ip_address
}

When I SSH into the container instance and try to connect via the command line mysql, it tells me that it's using a different IP address than the external one---the internal one is in the 52.x.x.x range. I can manually add this ip address as a firewall rule, but I want to do it automatically.

So my question is: where does this 52.x.x.x address get assigned, and how can I access it in Terraform so that I can automatically configure the firewall rule between the container instance and mysql?

Upvotes: 1

Views: 1237

Answers (2)

PP TM
PP TM

Reputation: 31

Pay attention that "allowing access to Azure services" means access to all Azure services, even if not yours. The Azure Portal allows, when configuring the network connectivity of Azure Databases, to check "Allow public access from Azure services and resources within Azure to this server group" which seems nice. But the associated tooltip says "This option configures the firewall to allow connections from IP addresses allocated to any Azure service or asset, including connections from the subscriptions of other customers."

And also allowing IPs 0.0.0.0 to 255.255.255.255 to access your DB opens the door to the whole world ...

Upvotes: 0

bpdohall
bpdohall

Reputation: 1051

The outbound IP address associated with the container instance is not available as a property of the container. The IP address is not guaranteed to persist beyond container restart either, so it would not be a reliable identifier for a firewall rule.

The simplest solution in this case would be to "Allow access to Azure services" in your database firewall. This is acheived by creating an azurerm_sql_firewall_rule having start_ip_address and end_ip_address set to "0.0.0.0"

Upvotes: 1

Related Questions