Load Balancing Azure Container Instances with Envoy

Azure Container Instances are a very convenient and easy-to-use but do have limitations that, sometimes, make them unsuitable for some scenarios. One of those limitations, at least at the writing of this article, is the inability to use an Azure Load Balancer with containers deployed to a private network (public containers can be load distributed with an Azure Traffic Manager).

The Alternative — Envoy

To overcome the Azure Load Balancer’s limitation work with Azure Container Instances, an additional container running Envoy can be used to distribute the load between the other backend containers, and this is exactly what this article will be showing.

The Example

The complete Terraform based example, which deploys three backend containers, one Envoy container and an Azure Firewall, can be found in this GitHub repository:

GitHub - ItayPodhajcer/envoy-load-balance-aci

For brevity, I will only cover the areas of the example that specifically handle the creation and configuration of the Envoy container, starting with the template file for Envoy’s configuration. The configuration will define an HTTP listener that routes to a cluster that uses a private DNS record to pull the list of nodes:

Next, a Terraform module that uses that template file and creates an Envoy container, receiving the port and DNS host record:

Then the root Terraform script can call the above module when deploying the entire solution, which includes (using a few additional module which are also included in the example):

• A private network
• Two subnets, for the containers and one for the firewall
• A private DNS zone
• Three generic backend containers (using Microsoft’s demo container: mcr.microsoft.com/azuredocs/aci-helloworld)
• One Envoy container

Deployment Testing

Testing our deployment is fairly easy, we can use a browser to send a few requests to the public IP that was created as part of the deployment process, and afterwards, the backend containers’ logs to see the incoming HTTP requests. A more significant load test can be performed with a tool such as Postman, by creating a request and then running it multiple times using the Runner.

Conclusion

The cloud is constantly evolving, but sometimes we need a temporary solution until a managed service is available, in this case, Azure Load Balancer, so it is very important to track release announcements and update our architecture as needed.