How can I access my container app via VPN?

Ben McFadden 31 Reputation points
2023-11-30T05:31:31.09+00:00

I have created a container app in a container apps environment (container-app-env) that's configured for internal access only. Its VNET is a custom one (container-vnet).

I have peered container-vnet with hub-vnet.

hub-vnet has a virtual network gateway with a point-to-site VPN configured.

I have created a private DNS zone and linked it with both VNETs.

I have created an A record in the private DNS zone for container-app-env's static IP address.

When connected via the VPN I cannot access container-app-env. I can't ping its IP address. I can, however, ping the IP addresses of virtual machines residing in container-vnet that were auto-registered in the private DNS zone.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,450 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,289 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
338 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Deepanshukatara-6769 7,905 Reputation points
    2023-11-30T05:53:11.9033333+00:00

    Hi , hope doing well

    To answer your query please check below

    Virtual network integration depends on a dedicated subnet. How IP addresses are allocated in a subnet and what subnet sizes are supported depends on which plan you're using in Azure Container Apps.

    I think you are using dedicated subnet with your custom vnet and if so Your subnet must be delegated to Microsoft.App/environments.

    Once you will do this , please check again and let us know the result.

    Please check below link which explain in detail

    https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#user-defined-routes-udr

    Accept answer if it helps , Thanks!


  2. TP 83,711 Reputation points
    2023-11-30T14:38:36.1533333+00:00

    Hi Ben,

    It is normal not to be able to ping internal only container app. Are you able to connect to your container app on port 80 (I'm assuming you have 80 allowed by default)?

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP


  3. GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee
    2023-12-01T12:38:43.04+00:00

    Hello @Ben McFadden ,

    I understand that are unable to access the container app environment which resides in a peered Vnet over point to site VPN.

    Initially you mentioned that you are unable to ping the IP address, so we checked if you have transit gateway option enabled in your Vnet peering. You confirmed that the option is enabled, and you also determined that you could connect to the container app environment's IP address via netcat, so this seems to be a DNS issue.

    Yes, if you are trying to connect to an Azure hostname or private endpoint FQDN from on-premises, then it is a DNS issue, and this is a by design behavior.

    Accessing private endpoint connected resource via P2S VPN is possible but needs some additional DNS configurations.

    For on-premises workloads to resolve the Azure hostname or FQDN of a private endpoint, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises.

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

    User's image

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat

    It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

    You can use the following options to configure your DNS settings for private endpoints:

    • Use the host file (only recommended for testing)
    • Use a private DNS zone.
    • Use Azure Private Resolver or DNS forwarder (optional).

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

    For testing purpose, you can have host file entry on your point to site client machine for the private endpoint with IP address.

    ex: 10.1.0.4 myregistry.privatelink.azurecr.io

    But the recommended approach for production setups is to configure your on-premises DNS solution to forward DNS traffic to Azure DNS via a conditional forwarder that references the DNS forwarder deployed in Azure.

    For P2S VPN clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role. That is required for P2S VPN clients to be able to consume Azure Private DNS Zone which is exposed to 168.63.129.16 via DNS Forwarder/Proxy.

    Once you have a DNS forwarder/proxy deployed on Azure, you can define the DNS server at the VNET level or set DNS Server configuration directly on client XLM profile. Post this, you will be able to resolve Private Endpoint entries from your P2S clients.

    Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-P2S

    https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-dns-servers

    As of today, Azure DNS Private Resolver service is the recommended Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder. For on-premises workloads to resolve the FQDN of a private endpoint, you can use Azure Private Resolver.

    Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#azure-private-resolver-for-on-premises-workloads

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.