Skip to content
/ minio_azure_container_app Public

Deploy MinIO to Azure Container App with Application Gateway

0 stars 0 forks Branches Tags Activity
Star

meshcloud/minio_azure_container_app

BranchesTags

Repository files navigation

MinIO Azure Container App

This repo deploys a MinIO Container to an Azure Container Group with Azure Application Gateway for SSL termination, IP restrictions, and Coraza WAF for comprehensive security protection.

Architecture

flowchart TD
    subgraph External
        A[External Traffic<br>HTTPS:443 / 8443<br>IP Restricted]
    end

    A --> B[Azure Application Gateway<br>SSL Termination & Load Balancing<br>IP Restrictions via NSG]

    B --> C[Coraza WAF Container<br>Ports: 8080, 8081<br>OWASP CRS + Rate Limiting]

    C -->|Port 8080| E[MinIO UI<br>Port 9001]
    C -->|Port 8081| F[MinIO API<br>Port 9000]

    E --> G[Azure File Share / Storage Account]
    F --> G

    subgraph "Azure Virtual Network"
        subgraph "Application Gateway Subnet"
            B
        end
        subgraph "Container Instances Subnet"
            C
            E
            F
        end
    end
Loading

Components

  • MinIO Container: Runs the object storage service (ports 9000/9001 - internal only)
  • Azure Application Gateway: Provides SSL termination, load balancing, and IP restrictions (ports 443/8443 - externally exposed)
  • Coraza WAF Container: Modern WAF with OWASP Core Rule Set protecting both UI (8080) and API (8081)
  • Network Security Group: Controls inbound traffic with IP-based access restrictions
  • Storage: Uses Azure File Share for persistent data storage
  • Virtual Network: Isolates components with dedicated subnets for Application Gateway and Container Instances

Requirements

  • Azure Subscription
  • Azure Resource Group
  • SSL Certificate (.pfx file) for HTTPS traffic

Usage

Accessing MinIO

Web Console (UI):

https://your-domain.region.azurecontainer.io/

S3 API (for applications/tools):

https://your-domain.region.azurecontainer.io:8443/

Using MinIO Client (mc)

  1. Install MinIO Client:

    # macOS
brew install minio/stable/mc

# Linux
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc

  2. Configure MinIO Client:

    mc alias set myminio https://your-domain.region.azurecontainer.io:8443 your-username your-password --insecure

  3. Create and manage buckets:

    mc mb myminio/my-bucket
mc ls myminio
mc cp myfile.txt myminio/my-bucket/
mc cp myminio/my-bucket/myfile.txt ./

Using AWS CLI

aws s3 ls --endpoint-url https://your-domain.region.azurecontainer.io:8443 --no-verify-ssl

Resources Created

  • Application Gateway: Provides SSL termination, load balancing, and public access
  • Virtual Network: Network isolation with dedicated subnets
  • Network Security Group: IP-based access restrictions
  • Container Group: Hosts MinIO and Coraza WAF containers
  • Storage Account: Provides persistent storage
  • Storage Share: Azure File Share for MinIO data
  • Key Vault: Stores SSL certificates securely
  • Log Analytics Workspace: For monitoring and logs

Security Features

WAF Protection (Coraza + OWASP CRS)

  • OWASP Core Rule Set: Complete protection against OWASP Top 10 vulnerabilities
  • SQL Injection Prevention: Blocks malicious database queries
  • XSS Protection: Prevents cross-site scripting attacks
  • Command Injection Blocking: Stops OS command execution attempts
  • Path Traversal Prevention: Blocks directory traversal attacks

Rate Limiting (Per Source IP)

  • MinIO UI: 100 GET/min, 20 PUT/min, 10 POST/min
  • MinIO S3 API: 200 GET/min, 50 PUT/min, 10 DELETE/min
  • Admin Endpoint Blocking: Complete access denial to /minio/admin

Infrastructure Security

  • IP Restrictions: Network Security Group rules allow access only from specified IP addresses/ranges
  • SSL Termination: All traffic encrypted via Azure Application Gateway
  • No Direct MinIO Access: MinIO ports not exposed externally
  • Certificate-based Authentication: Uses SSL certificates for secure connections
  • Network Isolation: Virtual Network with dedicated subnets for Application Gateway and Container Instances
  • Internal Communication: Containers communicate via localhost within the container group
  • Audit Logging: All WAF actions logged for security monitoring

Requirements

Name Version
azurerm 4.36.0
random ~> 3.1

Modules

No modules.

Resources

Name Type
azurerm_application_gateway.minio_agw resource
azurerm_container_group.minio_aci_container_group resource
azurerm_key_vault.minio_kv resource
azurerm_key_vault_access_policy.agw_policy resource
azurerm_key_vault_access_policy.minio_cert_policy resource
azurerm_key_vault_certificate.minio_cert resource
azurerm_log_analytics_workspace.minio_law resource
azurerm_network_security_group.agw_nsg resource
azurerm_network_security_rule.allow_agw_management resource
azurerm_network_security_rule.allow_azureloadbalancer resource
azurerm_network_security_rule.allow_https_api resource
azurerm_network_security_rule.allow_https_ui resource
azurerm_network_security_rule.deny_all resource
azurerm_public_ip.agw_pip resource
azurerm_resource_group.minio_rg resource
azurerm_storage_account.minio_storage_account resource
azurerm_storage_share.minio_share resource
azurerm_subnet.aci_subnet resource
azurerm_subnet.agw_subnet resource
azurerm_subnet_network_security_group_association.agw_nsg_association resource
azurerm_user_assigned_identity.agw_identity resource
azurerm_virtual_network.minio_vnet resource
random_string.storage_suffix resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
allowed_ip_addresses Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs. string "10.10.10.2/32" no
coraza_waf_image Coraza WAF container image string "ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.8-coraza-v2.0.0" no
location Azure region for deployment string "West Europe" no
minio_image MinIO container image string "quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z" no
minio_root_password MinIO root password for admin access string n/a yes
minio_root_user MinIO root username for admin access string "minioadmin" no
nginx_image Nginx container image string "mcr.microsoft.com/azurelinux/base/nginx:1.25" no
public_url_domain_name Domain name for the public URL (e.g., 'miniotest' creates 'miniotest.westeurope.azurecontainer.io') string n/a yes
resource_group_name Name of the Resource Group where you want to deploy MinIO string n/a yes
storage_account_name Storage Account Name prefix (random suffix will be added for global uniqueness) string "miniostorage" no
storage_share_size Storage space needed in GBs (minimum 1GB, maximum 5120GB/5TB) number 100 no

Outputs

Name Description
console_url MinIO Web Console URL
fqdn Fully qualified domain name
mc_alias_command MinIO client setup command
public_ip Public IP address
s3_api_url MinIO S3 API endpoint
storage_account_name Azure Storage Account name

About

Deploy MinIO to Azure Container App with Application Gateway

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

poc_working_20251010 Latest
Oct 10, 2025

Packages

 
 
 

Contributors 2

  •  
  •  

Languages