Pi-hole is a popular DNS resolver, advertised as a black hole for Internet advertisements. I use it as a DNS filter for parental control as well as an ad and tracking domain filter.
As a learning project, I tried to run Pi-hole securely, with HTTPS (only) admin access, on the Azure Container Instances (ACI) service. I created an ARM Template, so you can deploy an instance, in a single step. Get the ARM Template from GitHub
The Template, explained
The ARM template, as published on GitHub, has some parameters to allow customization. With this, you can deploy multiple instances if needed. Then, it deploys what’s needed, in one swoop.
Here’s how it works:
- It creates a new or uses an existing Resource Group
- It creates a new storage account, with 3 volumes: 2 volumes for the Pi-hole, and 1 for the nginx configuration.
- Creates a new container group, with one container for the Pi-hole image, and one for the nginx sidecar image.
- The latest azure docker image (pihole/pihole:latest) from docker hub
- The nginx sidecar container to enable HTTPS (via TLS, formerly SSL) for the admin GUI access
- The container group only publicly exposes ports
- 443 (for the admin GUI, via nginx, passed to Pi-hole port 80 internally)
- 53 (for the DNS queries, passed to Pi-hole port 53)
- Port 67 (for DHCP) is not used in my scenario, and Port 80 is only used within the container group.
- The nginx volume contains a pre-created and preloaded SSL public and private key and a self-signed certificate for use within the nginx container. With this, you can connect using HTTPS (using TLS) to the Pi-hole admin GUI. NOTE: however, for use beyond test purposes, you should replace this key and certificate with your own for privacy reasons.
- The public IP address is determined automatically by the azure deployment process, and not required within the template. It stays the same as long as the container group runs in ACI.
After deployment, your deployment should automatically start to run. Get the IP address from the container group details. You can then go to the admin panel as usual via
https://your-ip-address/admin
Known limitations
The database access to store blacklist as well as the teleporter do not work.