How can I access my container app via VPN?

Question

I have created a container app in a container apps environment (container-app-env) that's configured for internal access only. Its VNET is a custom one (container-vnet).

I have peered container-vnet with hub-vnet.

hub-vnet has a virtual network gateway with a point-to-site VPN configured.

I have created a private DNS zone and linked it with both VNETs.

I have created an A record in the private DNS zone for container-app-env's static IP address.

When connected via the VPN I cannot access container-app-env. I can't ping its IP address. I can, however, ping the IP addresses of virtual machines residing in container-vnet that were auto-registered in the private DNS zone.

Answer 1

Hi , hope doing well

To answer your query please check below

Virtual network integration depends on a dedicated subnet. How IP addresses are allocated in a subnet and what subnet sizes are supported depends on which plan you're using in Azure Container Apps.

I think you are using dedicated subnet with your custom vnet and if so Your subnet must be delegated to Microsoft.App/environments.

Once you will do this , please check again and let us know the result.

Please check below link which explain in detail

https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#user-defined-routes-udr

Accept answer if it helps , Thanks!

Answer 2

Hi Ben,

It is normal not to be able to ping internal only container app. Are you able to connect to your container app on port 80 (I'm assuming you have 80 allowed by default)?

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 3

Hello @Ben McFadden ,

I understand that are unable to access the container app environment which resides in a peered Vnet over point to site VPN.

Initially you mentioned that you are unable to ping the IP address, so we checked if you have transit gateway option enabled in your Vnet peering. You confirmed that the option is enabled, and you also determined that you could connect to the container app environment's IP address via netcat, so this seems to be a DNS issue.

Yes, if you are trying to connect to an Azure hostname or private endpoint FQDN from on-premises, then it is a DNS issue, and this is a by design behavior.

Accessing private endpoint connected resource via P2S VPN is possible but needs some additional DNS configurations.

For on-premises workloads to resolve the Azure hostname or FQDN of a private endpoint, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises.

If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat

It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

You can use the following options to configure your DNS settings for private endpoints:

• Use the host file (only recommended for testing)
• Use a private DNS zone.
• Use Azure Private Resolver or DNS forwarder (optional).

Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

For testing purpose, you can have host file entry on your point to site client machine for the private endpoint with IP address.

ex: 10.1.0.4 myregistry.privatelink.azurecr.io

But the recommended approach for production setups is to configure your on-premises DNS solution to forward DNS traffic to Azure DNS via a conditional forwarder that references the DNS forwarder deployed in Azure.

For P2S VPN clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role. That is required for P2S VPN clients to be able to consume Azure Private DNS Zone which is exposed to 168.63.129.16 via DNS Forwarder/Proxy.

Once you have a DNS forwarder/proxy deployed on Azure, you can define the DNS server at the VNET level or set DNS Server configuration directly on client XLM profile. Post this, you will be able to resolve Private Endpoint entries from your P2S clients.

Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-P2S

https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-dns-servers

As of today, Azure DNS Private Resolver service is the recommended Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder. For on-premises workloads to resolve the FQDN of a private endpoint, you can use Azure Private Resolver.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#azure-private-resolver-for-on-premises-workloads

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 4

Hi Ben McFadden, did you find any working solution for this?? I have a similar problem.