Programmatically create Azure Container Instances and connect a Managed Identity

Programmatically create Azure Container Instances and connect a Managed Identity

"This feature is currently in preview. Previews are made available to you on the condition that you agree to the supplemental terms of use. Some aspects of this feature may change prior to general availability (GA). Currently, managed identities on Azure Container Instances, are only supported with Linux containers and not yet with Windows containers." - Microsoft DocsPreviously I wrote about a post explaining how to programmatically create new Azure Container Instances (ACI) that are connected to a specific Virtual Network, allowing communication with services and data that resides inside that network. In this post I'm sharing a brief additional…

Read More

Programmatically create Azure Container Instances in an existing Virtual Network

Programmatically create Azure Container Instances in an existing Virtual Network

In recent years I've worked extensively with various approaches to create ACI's, also known as Azure Container Instances. I have these standard approaches for various scenarios: Define a YAML file, and create ACI from the command line.Define an ARM template and create ACI using a Resource Deployment.Programmatically create ACI using the Azure Fluent SDK.In various use cases in my daily work, I have to rely on some of these approaches for spinning up new workloads, for short- or long-term tasks. Use caseI have Azure Functions and Azure App Services for everyday background tasks and web front-end. It…

Read More

Thoughts on Bring Your Own Key, or BYOK, to Azure Container Registry

Thoughts on Bring Your Own Key, or BYOK, to Azure Container Registry

In this article, I am exploring the capabilities of Bring Your Own Key with the Azure Container Registry. A way for you to get better control of the full Key Lifecycle Management process, should you need to. I am detailing a few of my thoughts that come up around different scenarios. I would be happy to hear about your own experiences and reasons for why BYOK helps you and your organization. Feel free to leave a comment or reach me on Twitter. ScenariosInstead of publishing purely technical piece guidelines, I am trying to angle some of my reasons and thoughts…

Read More

How Tokens and Scope Maps for Azure Container Registry introduces great repository-level access restrictions

How Tokens and Scope Maps for Azure Container Registry introduces great repository-level access restrictions

I have previously written about various Container-topics on this site. Recently, I also published a post about "Best Practices for security in Azure Container Registry." In this post, I want to bring awareness to how we can make use of one of the tips from that post, namely the Repository-scoped permissions. We can now create more fine-grained permission for our ACR. Time-limited access to help block any access after a specific point in time.Granular permission control helps restrict or allow specific actions on the registry. Actions are usually things like Read (pull), Write (push), Delete.Help your organization delegate…

Read More

Protecting your Azure Container Registry by denying all requests except from allowed IP addresses

Protecting your Azure Container Registry by denying all requests except from allowed IP addresses

With Azure Container Registry, or ACR, we get a lot of great capabilities to host our Docker images in the Azure cloud. With that, as with everything else, comes security concerns we should not overlook. In this post I'm exploring how we can lock down all access to our ACR by default, and then enable access based on an IP address or range of IP addresses. This is similar to what I've already explained in another post about Secure your Azure Storage Accounts with restrictions based on public IP addresses. If you haven't seen that, take a look there how…

Read More