Difference between HTTP and HTTPs health probes in Azure Container Apps

Question

Difference between HTTP and HTTPs health probes in Azure Container Apps

RajivBansal-2486 331

Hello,

I want to understand the difference between the HTTP and HTTPs health probes in Azure container apps. My understanding is that certificates are terminated at envoy proxy. Communication from envoy proxy to containers and direct communication from container to container always happen on HTTP not HTTPs.

So are HTTPs health probes routed through envoy proxy? Are HTTP health probes routed through envoy proxy or directly to container?

Is there is recommendation regarding which one should be used - HTTP or HTTPs?

Thanks!

RajivBansal-2486 331 Reputation points

2025-05-27T04:41:50.21+00:00

Thanks for the information

1 answer

Your answer

RajivBansal-2486 331 Reputation points

2025-05-27T04:41:50.21+00:00

Thanks for the information

Answer 1

@RajivBansal-2486 ,

In Azure Container Apps, both HTTP and HTTPS health probes are routed through the Envoy proxy, not directly to your container. This is true even for HTTP, which might seem counterintuitive at first. The Envoy proxy sits in front of your container and handles things like request routing, retries, metrics, and TLS termination (for HTTPS).

So when you configure an HTTPS health probe, it hits the Envoy proxy using TLS, and Envoy then forwards the request to your container over plain HTTP. Your container itself doesn’t need to handle HTTPS — that’s entirely managed by Envoy.

On the other hand, if you configure an HTTP probe, it also goes through Envoy — just without the TLS handshake — and still gets forwarded to your container over HTTP.

As for which to use:

HTTP is generally recommended unless you specifically need to validate that TLS is working properly at the Envoy layer (e.g., for compliance or testing HTTPS behavior).

Using HTTPS adds a bit of overhead and doesn’t provide additional security between Envoy and the container since that leg of the communication is still HTTP.

In short: both types of probes hit Envoy, and your container always sees plain HTTP. HTTPS is only necessary if you want to ensure the TLS layer is functioning as expected at the proxy level.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful." And if you have any further questions, let us know.

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-05-27T14:10:06.43+00:00

@RajivBansal-2486 ,

thank you for the upvote! 😊 If the suggestion was helpful, please consider clicking "Accept Answer" – this can help others in the community find useful guidance more easily. Let me know if you have any further questions!
RajivBansal-2486 331 Reputation points

2025-06-24T11:26:10.23+00:00

Hi @Khadeer Ali

I checked the health probes and they seem to go directly to the container instead of going through envoy proxy. Reason is that my application is running on port 3000. Health probes are going on port 3000 instead of 443.

Related to this, in case HTTPs health probes are used then the container itself should support HTTPs rather than just envoy proxy terminating the ssl.

Please check and confirm the above findings.

Regards,

Rajiv

Share via

Difference between HTTP and HTTPs health probes in Azure Container Apps

1 answer

Your answer