Deploy container networking for a stand-alone Windows Docker host

The Azure CNI plugin enables per container/pod networking for stand-alone docker hosts and Kubernetes clusters. In this article, you learn how to install and configure the CNI plugin for a standalone Windows Docker host.

Prerequisites

Create a virtual network and bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select (Asia Pacific) China East 2.

    Screenshot of Basics tab of Create virtual network in the Azure portal

  4. Select Next to proceed to the Security tab.

  5. Select Enable Bastion in the Azure Bastion section of the Security tab.

    Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see Azure Bastion

    Note

    Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  6. Enter or select the following information in Azure Bastion:

    Setting Value
    Azure Bastion host name Enter bastion.
    Azure Bastion public IP address Select Create a public IP address.
    Enter public-ip in Name.
    Select OK.

    Screenshot of enable bastion host in Create virtual network in the Azure portal.

  7. Select Next to proceed to the IP Addresses tab.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24(256 addresses).

    Screenshot of default subnet rename and configuration.

  10. Select Save.

  11. Select Review + create at the bottom of the screen, and when validation passes, select Create.

It can take a few minutes for the network and Bastion host to deploy. Continue with the next steps when the deployment is complete or the virtual network creation is complete.

Create test virtual machine

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create.

  3. On the Basics tab of Create a virtual machine, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select China East 2.
    Availability options Select No infrastructure redundancy required.
    Security type Leave the default of Standard.
    Image Select Windows Server 2022 Datacenter - x64 Gen2.
    VM architecture Leave the default of x64.
    Size Select a size.
    Administrator account
    Authentication type Select Password.
    Username Enter azureuser.
    Password Enter a password.
    Confirm password Reenter the password.
    Inbound port rules
    Public inbound ports Select None.
  4. Select the Networking tab at the top of the page.

  5. Enter or select the following information in the Networking tab:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter nsg-1 for the name.
    Leave the rest at the defaults and select OK.
  6. Leave the rest of the settings at the defaults and select Review + create.

  7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the back-end pool of a standard load balancer, with or without outbound rules.
  • An Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Add IP configuration

The Azure CNI plugin allocates IP addresses to containers based on a pool of IP addresses you create on the virtual network interface of the virtual machine. For every container on the host, an IP configuration must exist on the virtual network interface. If the number of containers on the server outnumber the IP configurations on the virtual network interface, the container starts but doesn't have an IP address.

In this section, you add an IP configuration to the virtual network interface of the virtual machine you created previously.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. In Settings, select Networking.

  4. Select the name of the network interface next to Network Interface:. The network interface is named vm-1 with a random number.

  5. In Settings of the network interface, select IP configurations.

  6. in IP configurations, select ipconfig1 in Name.

  7. In the ipconfig1 settings, change the assignment of the private IP address from Dynamic to Static.

  8. Select Save.

  9. Return to IP configurations.

  10. Select + Add.

  11. Enter or select the following information for Add IP configuration:

    Setting Value
    Name Enter ipconfig-2.
    Private IP address settings
    Allocation Select Static.
    IP address Enter 10.0.0.5.
  12. Select OK.

  13. Verify ipconfig2 has been added as a secondary IP configuration.

Repeat steps 1 through 13 to add as many configurations as containers you wish to deploy on the container host.

Configure IP addresses in Windows

To assign multiple IP addresses to a Windows virtual machine, the IP addressees must be added to the network interface in Windows. In this section, you'll sign-in to the virtual machine and configure the IP configurations you created in the previous section.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. In the Overview of vm-1, select Connect then Bastion.

  4. Enter the username and password you created when you deployed the virtual machine in the previous steps.

  5. Select Connect.

  6. Open the network connections configuration on the virtual machine. Select Start -> Run and enter ncpa.cpl.

  7. Select OK.

  8. Select the network interface of the virtual machine, then Properties:

    Screenshot of select network interface in Windows OS.

  9. In Ethernet Properties, select Internet Protocol Version 4 (TCP/IPv4), then Properties.

  10. Enter or select the following information in the General tab:

    Setting Value
    Select Use the following IP address:
    IP address: Enter 10.0.0.4
    Subnet mask: Enter 255.255.255.0
    Default gateway Enter 10.0.0.1
    Select Use the following DNS server addresses:
    Preferred DNS server: Enter 168.63.129.16 This IP is the DHCP assigned IP address for the default Azure DNS
  11. Select Advanced....

  12. in IP addresses, select Add....

  13. Enter or select the following information:

    Setting Value
    TCP/IP Address
    IP address: Enter 10.0.0.5
    Subnet mask: Enter 255.255.255.0
  14. Select Add.

  15. To add more IP addresses that correspond with any extra IP configurations created previously, select Add.

  16. Select OK.

  17. Select OK.

  18. Select OK.

The Bastion connection drops for a few seconds as the network configuration is applied. Wait a few seconds then attempt to reconnect. Continue when a reconnection is successful.

Install Docker

The Docker container engine must be installed and configured on the virtual machine you created previously.

Sign-in to the virtual machine you created previously with the Azure Bastion host you deployed with the virtual network.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. In the Overview of vm-1, select Connect then Bastion.

  4. Enter the username and password you created when you deployed the virtual machine in the previous steps.

  5. Select Connect.

  6. Open Windows PowerShell on vm-1.

  7. The following example installs Docker CE/Moby:

    Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/Windows-Containers/Main/helpful_tools/Install-DockerCE/install-docker-ce.ps1" -o install-docker-ce.ps1
    
    .\install-docker-ce.ps1
    

The virtual machine reboots to install the container support in Windows. Reconnect to the virtual machine and the Docker install continues.

For more information about Windows containers, see, Get started: Prep Windows for containers.

After Docker is installed on your virtual machine, continue with the steps in this article.

Install CNI plugin and jq

The Azure CNI plugin is maintained as a GitHub project and is available for download from the project's GitHub page. For this article, you download the CNI plugin repository within the virtual machine and then install and configure the plugin.

For more information about the Azure CNI plugin, see Azure Container Networking.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. In the Overview of vm-1, select Connect then Bastion.

  4. Enter the username and password you created when you deployed the virtual machine in the previous steps.

  5. Select Connect.

  6. Use the following example to download and extract the CNI plugin to a temporary folder in the virtual machine:

    Invoke-WebRequest -Uri https://github.com/Azure/azure-container-networking/archive/refs/heads/master.zip -OutFile azure-container-networking.zip
    
    Expand-Archive azure-container-networking.zip -DestinationPath azure-container-networking
    
  7. To install the CNI plugin, change to the scripts directory of the CNI plugin folder you downloaded in the previous step. The install script command requires a version number for the CNI plugin. At the time of the writing of this article, the newest version is v1.4.39. To obtain the latest version number of the plugin or previous versions, see Releases.

    cd .\azure-container-networking\azure-container-networking-master\scripts\
    
    .\Install-CniPlugin.ps1 v1.4.39
    
  8. The CNI plugin comes with a built-in network configuration file for the plugin. Use the following example to copy the file to the network configuration directory:

    Copy-Item -Path "c:\k\azurecni\bin\10-azure.conflist" -Destination "c:\k\azurecni\netconf"
    

Install jq

The script that creates the containers with the Azure CNI plugin requires the application jq. For more information and download location, see Download jq.

  1. Open a web browser in the virtual machine and download the jq application.

  2. The download is a self-contained executable for the application. Copy the executable jq-win64.exe to the C:\Windows directory.

Create test container

  1. To start a container with the CNI plugin, you must use a special script that comes with the plugin to create and start the container. The following example creates a Windows Server container with the CNI plugin script:

    cd .\azure-container-networking\azure-container-networking-master\scripts\
    .\docker-exec.ps1 vnetdocker1 default mcr.microsoft.com/windows/servercore/iis add
    

    It can take a few minutes for the image for the container to download for the first time. When the container starts and initializes the network, the Bastion connection disconnects. Wait a few seconds and the connection reestablish.

  2. To verify that the container received the IP address you previously configured, connect to the container and view the IP:

    docker exec -it vnetdocker1 powershell
    
  3. Use the ipconfig command in the following example to verify the IP address was assigned to the container:

    ipconfig
    

    Screenshot of ipconfig output in PowerShell prompt of test container.

  4. Exit the container and close the Bastion connection to vm-1.

Clean up resources

When you're done using the resources created, you can delete the resource group and all its resources.

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion and select Delete.

Next steps

In this article, you learned how to install the Azure CNI plugin and create a test container.

For more information about Azure container networking and Azure Kubernetes service, see: