Container App set up IP restriction does not work if ingress traffic is limited to app environment

Question

I set the ingress traffic of my ACA to limited to app environement to deny access from undesired external addresses.

but i still need to reach out to my api app from allowed external IP addresses so i configured the section Ip Restriction in order to set up my whitelist of trusted IP address as shown below.

If i try to reach out to my api app i get a 404 error.

Is it possible to get this using the built-in ACA ingress configuration or i need to configure a custom VNET?

Answer 1

Hi Luigi,

Yes, that’s correct. When you set the ingress traffic to “Limited to Container Apps Environment,” it restricts traffic to within the environment, effectively ignoring any external IP restrictions you set up. This is expected behavior because the setting is designed to limit access strictly to the container app environment.

If you need to allow specific external IP addresses while still restricting others, you would need to configure a custom Virtual Network (VNET). This setup provides more granular control over network traffic and allows you to specify which external IP addresses can access your container app.

References:

• https://learn.microsoft.com/en-us/azure/container-apps/ip-restrictions?pivots=azure-portal
• https://learn.microsoft.com/en-us/azure/container-apps/ingress-how-to?pivots=azure-cli

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Regards,

Luis