Unable to connect to ACI with a Private IP (in a subnet of a vnet) from Azure

Question

I'm deploying an Azure Container Instances with a private static IP in a subnet of my virtual network, but I'm not able to connect to them from Azure.

During development, I used to check some stuff inside the ACI, but now I keep encountering this message: The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

The name looks the same and I'm sure that it's not removed and available, because I can connect to it from VMs in a connected subnet.

Update: Just checked it with Public IP, same story.

Does anyone know how to resolve this or what could be causing the problem? Thank you in advance!

Answer 1

"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable," could be caused by a few different issues.

One possibility is that the subnet you are deploying the container group to contains other resource types, which is not allowed.

Another possibility is that the subnet and the container group are not on the same Azure subscription. Additionally, if you are deploying the container group to a virtual network, you cannot enable a liveness probe or readiness probe. According to the documentation, "Outbound connections to port 25 and 19390 are not supported at this time. Port 19390 needs to be opened in your Firewall for connecting to ACI from Azure portal when container groups are deployed in virtual networks."

az network nsg rule list --nsg-name NRMS-k47yvbhjubbl2aci-vnet --resource-group myResourceGroup 

If you've already checked the firewall settings and confirmed that the necessary ports are open, it's possible that there may be an issue with the network profile created by ACI during container group creation. You may need to delete the network profile via the Azure portal or Azure CLI and then recreate it.

Here is an example to deploy container instances into an Azure virtual network.

az container create --name appcontainer --resource-group myResourceGroup --image mcr.microsoft.com/azuredocs/aci-helloworld --vnet aci-vnet --vnet-address-prefix 10.0.0.0/16 --subnet aci-subnet --subnet-address-prefix 10.0.0.0/24

If you want to deploy a container group to an existing virtual network, create a subnet within your existing virtual network, use an existing subnet in which a container group is already deployed, or use an existing subnet emptied of all other resources and configuration. For example, I have deployed a second container group to the same subnet created previously.

setting the CONTAINER_GROUP_IP to the IP retrieved with the az container show command above and execute the following az container create command.

CONTAINER_GROUP_IP=<container-group-IP-address>

az container create --resource-group myResourceGroup --name commchecker --image alpine:3.5 --command-line "wget $CONTAINER_GROUP_IP" --restart-policy never --vnet aci-vnet --subnet aci-subnet

az container logs --resource-group myResourceGroup --name commchecker

Here, the output shows that wget was able to connect and download the index file from the first container using its private IP address on the local subnet. Network traffic between the two container groups remained within the virtual network.

az container show --resource-group myResourceGroup  --name arkoappcontainer

If you continue to experience issues, you can contact Azure support for further assistance.

References:

• Virtual network scenarios and resources
• Troubleshoot application connectivity issues on virtual machines in Azure
• Azure Functions networking options
• Similar issue