Connecting Docker Container to Azure Virtual Network

Connecting Container to Azure VNet Sample scenario

Recently I was working on project where we wanted to assign IP address to docker container from Azure VNET. You may wonder why assigning IP address from Azure VNET is required when container can get their IP address from network created by docker? Here are some scenarios where this will be useful:

1. You want to use Azure networking feature like Network Security Group (NSG) to control network traffic going in and out of docker container
2. You need more visibility into container address space
3. You are using Azure services like storage or SQL and you want to restrict access to these resources to specific container. If container gets its IP from Azure VNET then we can whitelist that IP on Azure Storage or SQL.

I came across Azure Container Networking driver which allows connecting docker container to Azure VNET. Initially i tired using CNM network of this driver but it did not work. After posting issue on Github repo, i found out that CNM network is not supported currently and it was suggested to use CNI network of this driver.

Steps to use CNI network of this driver are not well documented hence i thought of sharing the steps here.

I used Azure VM with Ubuntu 18.04 OS for this testing. Here are the detailed steps:

• Clone the Azure Container networking repository

git clone https://github.com/Azure/azure-container-networking.git

• CD into cloned directory

cd azure-container-networking

• CD into scripts

cd scripts

• Make install-cni-plugin.sh file executable for user

chmod u+x install-cni-plugin.sh

• Install Azure Container Networking CNI plugin. Here I have installed latest release (v1.0.17) available as of 19 Feb 2019

sudo ./install-cni-plugin.sh v1.0.17

• Make docker-run.sh file executable for user

chmod u+x docker-run.sh

• Install jq package on Ubuntu. It is required for docker-run.sh file

sudo apt-get update

sudo apt-get install jq

• Add additional IP to network interface. I used Azure CLI for the same

az network nic ip-config create -g rg-eastus-demo — nic-name devap01-nwdemo — private-ip-address 10.0.0.6 — name dockerContainer1

• Deploy docker container using provided docker-run.sh. Please note we can not use default docker run directly.

sudo ./docker-run.sh vnetdockerdemo default alpine

• To verify container got the IP address from VNET, connect to container using following command

sudo docker exec -it vnetdockerdemo /bin/sh

• Now if you run ifconfig command you will notice containers IP is 10.0.0.6

I hope you find this useful.