How can Azure Container App securely communicate with external Azure resources?

Question

I have created a container app in Azure. Currently, the ingress is enabled and is configured to "Accept traffic from anywhere" using the HTTP protocol.

I would like to restrict traffic to some of my Azure resources, such as SQL servers and PostgreSQL servers, which are not created within the same container app environment.

What are the most secure and effective ways to achieve this?

Answer 1

To securely communicate with external Azure resources from your Azure Container App, consider the following approaches:

1. IP Restrictions: You can configure IP restrictions for ingress traffic to limit access to your container app. This allows you to specify which IP addresses are allowed or denied access, ensuring that only trusted sources can communicate with your app.
2. Virtual Network Integration: If your external resources are within a Virtual Network (VNet), you can integrate your container app with a custom VNet. This allows secure communication between your container app and other Azure resources without exposing them to the public internet.
3. Service Endpoints: Use Azure Service Endpoints to secure your Azure SQL and PostgreSQL servers. This allows you to restrict access to these resources to only the VNet where your container app is integrated.
4. Private Link: Consider using Azure Private Link to access Azure services privately. This allows you to connect to Azure SQL and PostgreSQL servers over a private endpoint in your VNet, enhancing security by keeping traffic off the public internet.

By implementing these strategies, you can effectively secure the communication between your Azure Container App and external Azure resources.

---

References:

• Ingress in Azure Container Apps
• General architectural considerations for choosing an Azure container service