Unable to Connect Backend in Azure Container App to MySQL Flexible Server

Question

Unable to Connect Backend in Azure Container App to MySQL Flexible Server

Tariq Ghouri 40

Suggested configuration changes (DNS, subnet, environment flags) to allow backend to reach MySQL privately while still keeping frontend app publicly accessibleDescription:
Suggested configuration changes (DNS, subnet, environment flags) to allow backend to reach MySQL privately while still keeping frontend app publicly accessibleDescription: We have deployed a backend service inside an Azure Container App Environment (CAE) that is VNet-integrated with our spoke VNet. The backend needs to connect to a MySQL Flexible Server (private access only) deployed in the same VNet. However, the connection is failing. Environment & Design Details:
- Container App Environment (CAE):
- Name: rm-cae-self-hosted
- Region: UK South
- Integrated subnet: /subnets/rm-aca-workload-subnet-dev inside VNet rm-spoke-vnet-dev
- Currently not internal-only (internal: false), so ingress is public.
- Container Apps:
- Backend (rm-self-hosted-agent) — requires DB connectivity.
- Frontend — intended to be public.
- Database:
- Azure Database for MySQL Flexible Server
- Private access only
- Private DNS zone linked with the VNet.
- Connection string uses SslMode=Required.
- Networking Symptoms:
- From inside the backend container, /etc/resolv.conf shows nameserver 127.0.0.11, so DNS is handled internally by Container Apps (K8s runtime).
- The backend resolves the DB host directly to the private IP instead of using the private DNS zone.
- Outbound IPs for CAE are confirmed, but DB connection attempts still fail.
- Application Logs:
- Show Entity Framework / MySQL client errors during connection.
- Confirms DB connection string is being picked up correctly.

0 comments

1 answer

Your answer

Answer 1

Add an internal DNS suffix to the Container App Environment and use a private DNS zone for the MySQL Flexible Server. You'll need to configure the Container App to use the private DNS zone for name resolution.

Container App Environment (CAE)

Modify the Container App Environment to be VNet-integrated. This allows the backend to resolve private endpoints within the virtual network. However, since the front end needs to remain public, you should keep the ingress as public. The key change is to ensure that the CAE is configured to properly use the VNet's DNS settings.

Private DNS Zone

Link the Private DNS Zone for your MySQL Flexible Server to the virtual network where your Container App is deployed. This is crucial for name resolution. The CAE will then be able to resolve the private endpoint of the MySQL server. The DNS zone should have an A record that maps the MySQL server's hostname to its private IP address.

Frontend and Backend

To allow the backend to connect privately while keeping the frontend public, ensure the backend container app is configured to use the VNet-integrated CAE. The frontend container app can remain in the same environment and use public ingress. The VNet integration applies to the entire CAE, but you can control public access for individual apps.

Environment Flags

You may need to explicitly configure the container app to use the private DNS zone. In some cases, the container's /etc/resolv.conf may not automatically pick up the VNet's DNS settings. You can try to set an environment variable or a startup command within the container to point to the correct DNS server, which would be the VNet's DNS resolver IP.

For the backend: The connection string should use the fully qualified domain name (FQDN) of the MySQL server, not its private IP directly. The private DNS zone will handle the resolution to the private IP.

For the frontend: No changes are required.

Summary of Fix

Verify that the Azure DNS Private Zone for MySQL is linked to the spoke VNet. If it isn't, link it.

Ensure that your Container App is deployed in a VNet-integrated Container App Environment.

Ensure the connection string in the backend app is using the fully qualified domain name (FQDN) of the MySQL server and not its private IP address.

If the issue persists, check the networking settings of the CAE to confirm it's using the VNet's DNS, or manually configure the container's DNS settings.

Tariq Ghouri 40 Reputation points

2025-09-23T14:07:55.0266667+00:00

Dear Jesse Johnson,Thanks for the detailed explanation. Here’s what we’ve already verified and where we’re still blocked:

The private DNS zone privatelink.mysql.database.azure.com is already linked to the VNet rm-spoke-vnet-dev.

The Container App Environment rm-cae-self-hosted is VNet-integrated with subnet /subnets/rm-aca-workload-subnet-dev.

The MySQL Flexible Server FQDN rm-dev-db.privatelink.mysql.database.azure.com correctly resolves to 10.5.2.5 when queried manually against 168.63.129.16.

However, inside the backend container app (rm-self-hosted-agent), /etc/resolv.conf always points to 127.0.0.11 instead of the VNet DNS resolver. Because of this, MySQL client connections fail with Unknown server host.

We’ve Already Tried

DNS Overrides in Container App

Added dnsConfig.nameservers in the container app template to force private DNS resolution.
Verified /etc/resolv.conf inside container — still resolving to public IP instead of private endpoint.

Direct Private IP Connection (Works)

Connected to MySQL using private endpoint IP 10.5.2.5:3306 from BE container.

Successful connection — confirms networking and routing are correct.

But using MySQL FQDN still resolves to the public IP, breaking private connectivity.

Testing with DNS Tools

Ran dig <mysql-hostname> and nslookup inside BE container.

Always resolves to the public IP, never the private endpoint IP.

Container App Restart & Redeploy Restarted BE container app multiple times after DNS changes. Issue persists — still resolving MySQL hostname to public IP.

Share via

Unable to Connect Backend in Azure Container App to MySQL Flexible Server

1 answer

Your answer