Azure-docs: ACI-Networking: Ports are always exposed to other Container inside a Goup

Created on 5 Nov 2019 · 8Comments · Source: MicrosoftDocs/azure-docs

Corresponding section in the documentation:

Containers within a group can reach each other via localhost on the ports that they have exposed...

ports: # Exposed ports on the instance
- protocol: string
port: integer

But regardless of whether I expose a port or not, it is always accessible within the group(instance).
The expizite specification in YAML has no effect.

According to my understanding of the documentation, a port that is not specified in YAML should not be accessible through other containers within a group. (Similar to docker Compose)
This is currently not the case.

I have created a small test scenario:
1 container with a greeting service on Port 8080
1 container with a greeting service on Port 8090
A third container tries to reach the services within the group with curl.
(curl localhost:8080/greet/FromPort8080 --next localhost:8090/greet/FromPort8090)

I expose port 8080 for container 1 but I do not expose port 8090 for container 2 in the deployment YAML.

Deployment YAML

Result:

{"message":"Hello FromPort8080!"}{"message":"Hello FromPort8090!"}

Container 3 can access both services although I did not release port 8090 in container 2.

I would like to have the option, as stated in the documentation, to release a port within the groups only if explicitly specified. The default should be not to expose.
But until then the documentation has to be adapted to the current behavior.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: ff247151-29f6-4a55-61b2-e5eae2d48927
Version Independent ID: 159517fe-202c-967d-f572-49c4f6988c46
Content: Azure Container Instances container groups
Content Source: articles/container-instances/container-instances-container-groups.md
Service: container-instances
GitHub Login: @dlepow
Microsoft Alias: danlep

Pri2 assigned-to-author container-instancesvc product-question triaged

Source

Herr-Sepp

All 8 comments

@Herr-Sepp
Thanks for the feedback! We are currently investigating and will update you shortly.

jakaruna-MSFT on 5 Nov 2019

@Herr-Sepp Ports specified in the yaml will be opened for the public ip which is assigned to that ACI.

If we are using localhost, There is no port restriction. Thats why all the third container is able to reach other containers.

In your case, You have opened 8080, So you can access that port only via the public ip assigned to that ACI.
you cant access 8090 via the public ip.

Let me know if you need more information

jakaruna-MSFT on 5 Nov 2019

Ok so all ports are always accessible for all container inside the group and that can not be prevented? This should be included in the documentation.

What do you mean with:

If we are using localhost,

Is there another way?

In your case, You have opened 8080, So you can access that port only via the public ip assigned to that ACI.

In my example this is not yet the case.
To reach a port from the outside I have to release it within the container declaration AND within the IpAddress configuration.

What i mean with Container declaration:

properties:
  containers:
  - name: containername
    properties:
      image: imagepath
      ports:  <--

What i mean with Group ipAdress declaration:

properties:
 ipAddress:
    type: Public
    ports: <--

So releasing the port only within the container configuration has no effect as long as I don't specify it with ipAdress as well? There should be a warning that the setting has no effect.

But what is the use of port release within the container configuration at all?
Since there is only one address range, a port cannot be occupied by several containers.
Specifying wich ports you want to expose inside IpAdress should be enough, right?

Herr-Sepp on 5 Nov 2019

Yes. all ports are open for containers inside the container group. That cannot be prevented.
Thats mentioned in the document under networking like this.
Containers within a group can reach each other via localhost on the ports that they have exposed, even if those ports aren't exposed externally on the group's IP address.

If you are using localhost means accessing the services via http://localhost and not via http://publicip.

Obviously, When once container will use the localhost (127.0.0.1) to access the services from other containers.

So releasing the port only within the container configuration has no effect as long as I don't specify it with ipAdress as well? There should be a warning that the setting has no effect.

In Azure cli, we will explicitly specify ports to open. For yaml, we can add a note.
@dlepow Add your thoughts for the above question.

But what is the use of port release within the container configuration at all?

We will be having that config in Dockerfile as well. In ACI there is no effect on the port specified in the container.

Since there is only one address range, a port cannot be occupied by several containers.
Specifying wich ports you want to expose inside IpAdress should be enough, right?

Yes. that should be enough.

jakaruna-MSFT on 6 Nov 2019

Thank you very much for your explanations.

Containers within a group can reach each other via localhost on the ports that they have exposed, even if those ports aren't exposed externally on the group's IP address.

Maybe the sentence can be adjusted to make what is meant clearer.
I had assumed that this sentence meant only the ports specified in the container declaration, also because the YAML reference says on these Container declaration:
"ports: # Exposed ports on the instance".
But what actually as you said has no effect on its own