azureterraformazure-container-instancesazure-mysql-database

How to configure firewall between Azure Container Instance and Azure MySql automatically in Terraform?


I have a terraformed Azure MySQL instance and a WordPress docker instance running in an Azure Container Instance. Both come up fine, but I can't see a way to automatically allow access from the container instance to MySQL because 1) the traffic is not coming through the external IP address, and 2) I don't know where the actual IP address is being created, and 3) I can't see a way to determine what the IP address is.

resource "azurerm_container_group" "wp-container-group" {
   name                = var.container_group_name
   location            = azurerm_resource_group.wordpress-resource-group.location
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   ip_address_type     = "public"
   dns_name_label      = var.dns_label
   os_type             = "Linux"

   container {
      name   = "wordpress"
      image  = "wordpress:latest"
      ...
   }
   ...
}


resource "azurerm_mysql_server" "wordpress_mysql" {
   name                = "foo-bar"
   location            = azurerm_resource_group.wordpress-resource-group.location
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name

   ....
}


resource "azurerm_mysql_database" "wp-db" {
   name                = "wordpress"
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   server_name         = azurerm_mysql_server.wordpress_mysql.name
   charset             = "utf8"
   collation           = "utf8_general_ci"
}

This is set to allow traffic from the external IP address:

resource "azurerm_mysql_firewall_rule" "allow_container" {
   name                = "allow_wordpress_container"
   resource_group_name = azurerm_resource_group.wordpress-resource-group.name
   server_name         = azurerm_mysql_server.wordpress_mysql.name
   start_ip_address    = azurerm_container_group.wp-container-group.ip_address
   end_ip_address      = azurerm_container_group.wp-container-group.ip_address
}

When I SSH into the container instance and try to connect via the command line mysql, it tells me that it's using a different IP address than the external one---the internal one is in the 52.x.x.x range. I can manually add this ip address as a firewall rule, but I want to do it automatically.

So my question is: where does this 52.x.x.x address get assigned, and how can I access it in Terraform so that I can automatically configure the firewall rule between the container instance and mysql?


Solution

  • The outbound IP address associated with the container instance is not available as a property of the container. The IP address is not guaranteed to persist beyond container restart either, so it would not be a reliable identifier for a firewall rule.

    The simplest solution in this case would be to "Allow access to Azure services" in your database firewall. This is acheived by creating an azurerm_sql_firewall_rule having start_ip_address and end_ip_address set to "0.0.0.0"