Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to deploy an Azure Container Apps environment in a custom virtual network with an internal virtual IP (VIP) and public network access disabled. You then expose the environment securely through Azure Front Door Premium by using Private Link and private endpoints. This configuration provides a secure inbound path to your container apps while supporting zone redundancy.
Important
There are more charges for enabling private endpoints in both the Dedicated and Consumption plans.
Prerequisites
Azure account with an active subscription.
- If you don't have one, create one for free.
This feature only supports workload profile environments.
Make sure the
Microsoft.Cdnresource provider is registered for your subscription.- Sign in to the Azure portal.
- Go to your subscription page and select Settings > Resource providers.
- Select Microsoft.Cdn from the provider list.
- Select Register.
Architecture
The workload profiles environment type supports the combination of custom virtual network integration, private endpoints, and zone redundancy.
The following list describes how inbound traffic flows from the user to your container app:
A user connects to the Azure Front Door edge.
Azure Front Door forwards traffic to the origin over Private Link.
Traffic arrives at the private endpoint IP address in the workload virtual network (for example,
10.0.2.4).The private endpoint connects to the internal Container Apps environment.
Within the virtual network, the environment uses an internal load balancer (ILB) VIP (for example,
10.0.0.165) to reach the ingress controller.The ingress controller routes traffic to the correct container app, revision, and replica based on host headers and ingress configuration.
Design considerations
Keep the following design decisions in mind when you plan your deployment:
| Decision | Recommendation | Reason |
|---|---|---|
| Container Apps subnet size | /23 |
Provides room for scaling replicas and nodes. |
| Private endpoint subnet | Separate, nondelegated subnet (for example, /24) |
Private endpoints can't share a delegated subnet. |
| Front Door SKU | Premium | Required for Private Link origins. |
Create the virtual network and subnets
Create a virtual network with two subnets: one delegated to the Container Apps environment and one for private endpoints.
Search for Virtual networks in the top search bar.
Select Virtual networks in the search results.
Select Create.
In Create virtual network, in the Basics tab, enter the following values.
Setting Action Subscription Select your Azure subscription. Resource group Select Create new and enter a name (for example, my-container-apps). Virtual network name Enter a name (for example, my-vnet). Region Select your target region. Select the IP addresses tab.
Configure the address space (for example,
10.0.0.0/16).Create two subnets with the following configuration:
Subnet name Address range Delegation Purpose container-apps-subnet For example, 10.0.0.0/23Microsoft.App/environmentsHosts the Container Apps environment. private-endpoint-subnet For example, 10.0.2.0/24None Hosts private endpoints. Select Review + create, and then select Create.
Create the container app and environment
Create a Container Apps environment with internal ingress in your custom virtual network, and then deploy a container app to the environment.
Create the container app
Search for Container Apps in the top search bar.
Select Container Apps in the search results.
Select Create.
In Create Container App, use the Basics tab to enter the following values.
Setting Action Subscription Select your Azure subscription. Resource group Select the resource group you created (for example, my-container-apps). Container app name Enter a name (for example, my-container-app). Deployment source Select Container image. Region Select the same region as your virtual network. In Container Apps Environment, select Create new environment.
Configure the environment
In Create Container Apps Environment, in the Basics tab, enter the following values.
Setting Action Environment name Enter a name (for example, my-environment). Zone redundancy Select Enabled (if available and required). Select the Workload profiles tab, and add at least one workload profile (for example, D4). Set the autoscaling instance count range.
Select the Networking tab and enter the following values.
Setting Action Public network access Select Disable: Block all incoming traffic from the public internet. Use your own virtual network Select Yes. Virtual network Select the virtual network you created (for example, my-vnet). Infrastructure subnet Select the delegated subnet (for example, container-apps-subnet). Virtual IP Select Internal. Enable private endpoints Select Yes. Private endpoint subnet Select private-endpoint-subnet. DNS Select Azure Private DNS zone. Select Create to create the environment.
Configure and deploy the container app
On Create Container App, select the Container tab.
Select Use quickstart image for testing, or clear the checkbox and provide your own container image.
Note
The quickstart image enables ingress automatically. If you don't use the quickstart image, make sure you enable ingress so that your container app can accept traffic from Azure Front Door through the private endpoint.
Select Review + create, and then select Create.
Verify the environment deployment
Before you create the Azure Front Door profile, confirm that the environment is configured correctly.
Go to the resource group you created and open the Container Apps environment resource.
Select Networking.
Verify the following settings:
Setting Expected value Public network access Disabled Virtual IP Internal (note the IP address) Private endpoint connections At least one connection exists and is approved
Create the Azure Front Door Premium profile
Create an Azure Front Door Premium profile to route inbound traffic to your internal container app over Private Link.
Search for Front Door and CDN profiles in the top search bar.
Select Front Door and CDN profiles in the search results.
Select Create.
Select Azure Front Door and Quick Create.
Select the Continue to create a Front Door button.
In Create a Front Door profile, in the Basics tab, enter the following values.
Setting Action Resource group Select the resource group you created (for example, my-container-apps). Name Enter a profile name (for example, my-afd-profile). Tier Select Premium. Private Link isn't supported for origins on the Standard tier. Endpoint name Enter an endpoint name (for example, my-afd-endpoint). Origin type Select Container Apps. Origin host name Select your container app environment. Enable private link service Enable this setting. Region Select the region of your container app. Target sub resource Select managedEnvironments. Request message Enter a message (for example, AFD Private Link Request). Select Review + create, and then select Create.
After the deployment finishes, select Go to resource and find your Endpoint hostname. Your hostname looks like the following example. Make a note of this hostname.
my-afd-endpoint.<HASH>.b01.azurefd.net
Approve the private endpoint connection
After you deploy Azure Front Door, approve the incoming private endpoint connection request from the Container Apps environment.
Go to the Container Apps environment resource in the Azure portal.
Select Settings > Networking.
Select the link for private endpoint connection requests.
Select the pending connection with the description you provided (for example, AFD Private Link Request).
Select Approve.
Wait for the status to change to Approved.
Note
Azure Front Door has a known problem where it might create multiple private endpoint connection requests. Approve each request with the matching description.
Validate the connection
After you approve the private endpoint connection, verify that traffic reaches your container app through Azure Front Door.
Browse to the Azure Front Door endpoint hostname you recorded earlier.
Verify that your application loads correctly.
Confirm that direct access to the container app's default domain fails, since public access is disabled.
Verify that DNS resolution for the environment domain resolves to the private IP address within the virtual network.
Note
Global deployment might take a few minutes to propagate. If you don't see the expected output, wait a few minutes and then refresh.
Troubleshoot common problems
The following table describes common problems and their resolutions:
| Problem | Resolution |
|---|---|
| Subnet validation errors | Ensure the Container Apps subnet is delegated to Microsoft.App/environments and meets the minimum size requirements. |
| Private endpoint creation failure | Ensure the private endpoint is in a separate, nondelegated subnet. |
| Front Door origin returns an error | Verify that the private endpoint connection is approved in the Container Apps environment. It might take a few minutes for the connection to become active. |
| Container app is publicly accessible | Verify that Public network access is set to Disabled in the Container Apps environment networking settings. |
Clean up resources
If you don't plan to continue using this application, you can delete the container app and all the associated services by removing the resource group.
Select your resource group from the Overview section.
Select the Delete resource group button at the top of the resource group Overview.
Enter the resource group name in the confirmation dialog.
Select Delete.
The process to delete the resource group can take a few minutes.
Tip
Having problems? Let us know on GitHub by opening an issue in the Azure Container Apps repo.