Problem mounting Azure Storage file share on Azure Container Instance group

Question

When I try to deploy Azure Container Instance with a volume mounted from Azure storage account file share, the terraform apply operation continues saying creating, and finally fails with an error

 Container Group Name: "<container group name> "): polling after ContainerGroupsCreateOrUpdate: Future#WaitForCompletion: context has been cancelled: StatusCode=200 -- Original Error: context deadline exceeded

Sample screen shot is given below

terraform output of the terraform

snippet of the terraform code is also as shown below:

resource "azurerm_storage_share" "fileshare_name" {
  name                 = "filesharename"
  storage_account_name = azurerm_storage_account.storage_account_name.name
  quota                = 5
}

resource "azurerm_container_group" "<container_name>" {
  name                = "container_instance_name"
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  ip_address_type     = "Private"
  os_type             = "Linux"

  container {
    name   = "<container_name>"
    image  = "<img_ref>"
    cpu    = 3
    memory = 15

    ports {
      port     = 80
      protocol = "TCP"
    }
    
    volume {
      name       = "<volumename>"
      mount_path = "/home/test/dir1"
      read_only  = false
      share_name           = azurerm_storage_share.fileshare_name.name
      storage_account_name = azurerm_storage_account.storage_account_name.name
      storage_account_key  = azurerm_storage_account.storage_account_name.primary_access_key
    }

The storage account public network access is enabled from all networks.

From within the container terminal, I am able to resolve the storage account address

nslookup <storage_account_name>.file.core.windows.net

In addition, telneting to the storage account is getting successfully connected.

telnet <storage_account_name>.file.core.windows.net 445

I am stuck with the problem. Any help is greatly appreciated.

• I tried, opening access to the storage account from all network. but, didn't help.
• I tried connecting from within the container through telnet. The connection was successful, but the problem still continue.
• I tried to check the logs of the container, but since the container is on waiting state forever, not log is printed out.

Answer 1

I have found the solution myself. The problem is that there is a firewall that controls traffic between all subscriptions in this particular case. The firewall by default blocks traffic from the Internet to the network.

The container instance is deployed within a private-network and when it communicates with Storage File share through the public address (Internet). The firewall is blocking all inbound traffic from outside to the private network. Hence, three things can be done as to open network.

1. create a firewall rule to open traffic from the file share
2. create private endpoint on the storage account
3. create service endpoint to provide secure, direct connection to Azure services

The difference between private and service endpoints is nicely explained in this https://jeffbrown.tech/azure-private-service-endpoint/

For may case, I created a firewall rule that allows ms-ds-smbv3 application protocol between my vnet and storage file share. Even though, the storage account was open to all networks, the firewall was blocking inbound traffic to the vnet. It is working now.

An example, of how to deploy container instance with private endpoint configured can be found in https://hervekhg.medium.com/how-to-create-azure-container-instance-aci-with-private-azure-file-as-mounted-volume-b12eefb6814f

private endpoint diagram

Answer 2

I tried mounting Azure Storage file share in Azure Container Instance group and I was able to provision the requirement successfully.

Azure Container Instances (ACIs) are a serverless compute service for running containerized applications. ACIs are stateless by default, meaning that any data stored in the container is lost when the container stops running. To persist data beyond the lifetime of a container, you can mount a volume from an external store, such as an Azure Files share.

The problem you're encountering appears specifically when attempting to mount a volume from an Azure Storage Account file share. While pinpointing the exact issue without real-time logs and debugging information is challenging.

How ever with some certain modifications in terraform code we can successfully provision the requirement.

My Terraform Configuration:

data "azurerm_resource_group" "example" {
  name     = "v-sakavya"
}

resource "azurerm_storage_account" "example" {
  name                     = "myvksbstorageaccount"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}


resource "azurerm_storage_share" "example" {
  name                 = "filesharename"
  storage_account_name = azurerm_storage_account.example.name
  quota                = 5
}

resource "azurerm_container_group" "example" {
  name                = "demovksb-container-group"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  os_type             = "Linux"

  container {
    name   = "examplevk-container"
    image  = "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
    cpu    = "0.5"
    memory = "1.5"

    ports {
      port     = 80
      protocol = "TCP"
    }

    volume {
      name       = "example-volume"
      mount_path = "/mnt/azurefileshare"

      storage_account_name = azurerm_storage_account.example.name
      share_name           = azurerm_storage_share.example.name
      storage_account_key  = azurerm_storage_account.example.primary_access_key
    }
  }

  tags = {
    environment = "testing"
  }
}

Output:

Now by using the command df -h in the container instance, will be able to access the Azure File share from the container, and by ls we can list out the files in Azure Fileshare.