Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I could not find any official MS document supporting this design.
The one you shared is a blog without Authentication, so we cannot be sure if we could design such an infrastructure.
With that said,
Please note these 3 points as they are important
- You are hitting the standard hostname issues with a reverse proxy
- Per AFD's perspective, you are using an ILB as private end Point and it has no awareness of Container Apps acting as the backend.
- You have deployed Container Apps in Internal Mode, which means you cannot have direct authentication from Entra (as you don't have public access)
Your observation is correct, the authentication issue is because of Incorrect redirect URLs
Suggestion :
- You should consider using a custom domain, both in AFD and Internal Container Apps
- Let's consider this as "app.contoso.com"
- This way, the host name between Client to AFD and AFD to the ILB will remain the same.
From Container Apps side,
- I see Container Apps supporting custom domain, with some additional configuration required for internal Container Apps
- Once you have done, your container app can now accept requests with hostname "app.contoso.com"
From AFD side,
- AFD is straight forward
- Configure a custom domain on Azure Front Door
- And also make sure you enable HTTPS on this custom domain
- Now AFD can accept requests with hostname "app.contoso.com"
From Entra side,
- Now, the call back URL can use the hostname "app.contoso.com" without any issue.
To address your queries,
- Altering the origin host header configuration in frontdoor to an empty string results in a 404
- Yes and is expected
- This is because of SNI
- Without you using a custom domain on the PaaS Service, you cannot use a different or blank host name
- I think I may need to mess with the request/response headers.
- No, this is not recommended
- You may end up with issues in the long run.
- Also, I doubt the PaaS (both AFD and container apps) giving you such features
Again, the solution I proposed is merely a suggestion and please validate the set up in a Test/Dev environment before moving to production.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.