Front Door with Azure Container Apps and Private Link - enabling authentication

Question

I want to set up private App Containers with authentication which can be accessed via Frontdoor.

I have a private Azure Container App, i.e. an App running in Azure Container Apps Environment internally. That is exposed via Azure Front Door by using a custom origin configured as a Private Link to the load balancer.
That is all described here:
https://techcommunity.microsoft.com/t5/fasttrack-for-azure/integrating-azure-front-door-waf-with-azure-container-apps/bc-p/4156029#M914

With no authentication it all works fine.

If I enable authentication on the app (using default settings for Microsoft provider) what else do I need to do?

Without making any additional changes I get prompted to login but when I do I get a "site can't be reached" error. Obviously the callback URI value is based on the container app which is private so unavailable (no surprise there).

Modifying the Web Redirect URIs for the app in Entra to add a callback based on the frontdoor endpoint results in the same.
Removing the default so the only callback URI is based on frontdoor results in a mismatch between the redirect URIs for the request and the application:

AADSTS50011: The redirect URI '<uri based on CA url>' specified in the request does not match the redirect URIs configured for the application.

The error message directs you to https://aka.ms/redirectUriMismatchError which basically says to try what I already tried (add a redirect URI).

Altering the origin host header configuration in frontdoor to an empty string results in a 404.

I think I may need to mess with the request/response headers. As you can probably tell by my description of that process, I haven't quite worked that out.

Any suggestions?

Answer 1

@Michael Cameron ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I could not find any official MS document supporting this design.

The one you shared is a blog without Authentication, so we cannot be sure if we could design such an infrastructure.

With that said,

Please note these 3 points as they are important

• You are hitting the standard hostname issues with a reverse proxy
  • More info on : Preserve the original HTTP host name between a reverse proxy and its back-end web application
• Per AFD's perspective, you are using an ILB as private end Point and it has no awareness of Container Apps acting as the backend.
• You have deployed Container Apps in Internal Mode, which means you cannot have direct authentication from Entra (as you don't have public access)

Your observation is correct, the authentication issue is because of Incorrect redirect URLs

• 

Suggestion :

• You should consider using a custom domain, both in AFD and Internal Container Apps
  • Let's consider this as "app.contoso.com"
• This way, the host name between Client to AFD and AFD to the ILB will remain the same.

From Container Apps side,

• I see Container Apps supporting custom domain, with some additional configuration required for internal Container Apps
• Once you have done, your container app can now accept requests with hostname "app.contoso.com"

From AFD side,

• AFD is straight forward
• Configure a custom domain on Azure Front Door
  • And also make sure you enable HTTPS on this custom domain
• Now AFD can accept requests with hostname "app.contoso.com"

From Entra side,

• Now, the call back URL can use the hostname "app.contoso.com" without any issue.

To address your queries,

1. Altering the origin host header configuration in frontdoor to an empty string results in a 404
   1. Yes and is expected
   2. This is because of SNI
   3. Without you using a custom domain on the PaaS Service, you cannot use a different or blank host name
2. I think I may need to mess with the request/response headers.
   1. No, this is not recommended
   2. You may end up with issues in the long run.
   3. Also, I doubt the PaaS (both AFD and container apps) giving you such features

Again, the solution I proposed is merely a suggestion and please validate the set up in a Test/Dev environment before moving to production.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.