I was wondering what guidance there was around how to utilize service insight with a service control instance that is running in a container, specifically azure container apps. We are looking at using azure container apps to run service control and the example code for this appears to not allow outside traffic to be able to hit the service control container app other than containers running in the same container app environment. Would the simple solution be to allow traffic to things within the vnet similar to how service pulse works or is there a better solution (see image)
I tried enabling this option and allowing insecure traffic, but it seems like service insight is still unable to connect to the service control azure container app. I am able to see the API results when I hit the URL in the browser for the service control container app. We do have everything behind azure private endpoints, but I wouldn’t think that would be the issue
Hi @mick24,
ACA containers with public access need to be protected by something, and our recommendation is to use an OAuth provider that is baked into ACA. That’s what our example shows at PlatformContainerExamples/azure-container-apps at main · Particular/PlatformContainerExamples · GitHub .
Unfortunately, ServiceInsight is not able to do an OAuth login scheme. That’s a hole in our platform at the moment. I believe it might be able to do Basic or NTLM schemes, but not OAuth. There’s not enough information in the 403 response’s WWW-Authenticate header to begin an OAuth flow without knowing a lot of information about the provider. Given ServiceInsight is a .NET Framework Windows-only WPF and it has dependencies that are not available for modern .NET, we have chosen not to invest in that and are exploring other more cloud-friendly and cross-platform options.
If you want to have an Ingress with no external IP but limited to a vnet, then spin up a VM in that same vnet and run ServiceInsight on it, then get access to the vnet and RDP to the virtual machine to use ServiceInsight, and that same Ingress doesn’t force an OAuth flow, then I don’t see any reason why that wouldn’t work, but I have not tested it myself. Ultimately this is a cloud networking problem.
Another option I have thought of (but not tested) is to host an additional container that runs a reverse proxy and adds Basic authentication that ServiceInsight can handle, and give that a public HTTPS ingress. That could be done with nginx for example.