Container App Not Accepting Http Traffic

Question

Container App Not Accepting Http Traffic

Dinesh Nimmagadda 25

1.Public Access Layer

Public IP/Static with Standard SKU

WAF Policy in Prevention Mode (OWASP 3.2)

Application Gateway Subnet Application Gateway in WAF_v2 SKU with HTTP Listener

Container Apps Subnet Container App Environment

	Frontend Container (External Ingress Enabled) (5464)

	API Container (Internal Only)(8080)

We are experiencing connectivity issues between our Application Gateway and Container App when using HTTP ingress. Specifically:

When the Container App ingress is set to "internal" (which is our security requirement), the Application Gateway health probe fails and marks the backend as unhealthy.
The system works correctly when we change the Container App ingress type to "tcp".
The issue appears to be related to DNS resolution when using HTTP traffic with internal ingress configuration. We have exposed our application on port 5464, as ports 80/443 are being used by default Container App services.

Troubleshooting Steps Already Taken

Confirmed the Container App works correctly with TCP ingress
Verified Application Gateway configuration matches Container App endpoints
Checked NSG rules to ensure traffic is permitted
Confirmed VNet integration is properly configured

Impact

This issue is preventing us from implementing our planned security architecture, forcing us to either:

Expose our Container App publicly (security risk), or Use TCP instead of HTTP (limits our ability to use HTTP-specific features)

Khadeer Ali 4,710 Reputation points Microsoft External Staff

2025-03-21T12:43:50.24+00:00
@Dinesh Nimmagadda ,

Thanks for reaching out. When you configure your Azure Container App's ingress as "internal," it restricts access to only services within the same Container App Environment. This means that external services, including Azure Application Gateway, cannot reach the container app over HTTP traffic unless they are part of that environment.

Since you mentioned that the Application Gateway shows as unhealthy, it likely means that it cannot resolve the internal DNS or connect to the container app over HTTP due to the ingress restrictions.

If you want to keep the ingress as "internal" and still need to expose your app, consider using a different approach, such as a VPN or a private link, to allow secure access from the Application Gateway.

References:

Ingress in Azure Container Apps
Khadeer Ali 4,710 Reputation points Microsoft External Staff

2025-03-24T18:09:15.1933333+00:00

@Dinesh Nimmagadda ,

Just following up to see if you had a chance to review my response.
Dinesh Nimmagadda 25 Reputation points

2025-03-24T18:39:08.6566667+00:00

hi @Khadeer Ali ,

I deployed the container in an internal network with a private link attached to a private DNS zone and also tried deploying it with a private endpoint. The main issue is that Container Apps do not accept traffic unless it originates from another Container App. However, when the ingress type is set to TCP, the application works, and the Application Gateway also shows a healthy status.

Our main goal is to use HTTP as the ingress type instead of TCP. When attempting to use a private link, we encountered a DNS resolution issue.
LeelaRajeshSayana-MSFT 17,521 Reputation points

2025-04-01T00:13:12.6333333+00:00

@Dinesh Nimmagadda Just checking in to see if the above information was helpful. If you have any further query or still seek assistance on this issue, do let us know. Thank you
LeelaRajeshSayana-MSFT 17,521 Reputation points

2025-04-02T20:01:06.23+00:00

@Dinesh Nimmagadda We still have not heard back from you. Just wanted to check if the above information was helpful? If you have any further query do let us know. Thank you

1 answer

Your answer

Khadeer Ali 4,710 Reputation points Microsoft External Staff

2025-03-21T12:43:50.24+00:00

@Dinesh Nimmagadda ,

Thanks for reaching out. When you configure your Azure Container App's ingress as "internal," it restricts access to only services within the same Container App Environment. This means that external services, including Azure Application Gateway, cannot reach the container app over HTTP traffic unless they are part of that environment.

Since you mentioned that the Application Gateway shows as unhealthy, it likely means that it cannot resolve the internal DNS or connect to the container app over HTTP due to the ingress restrictions.

If you want to keep the ingress as "internal" and still need to expose your app, consider using a different approach, such as a VPN or a private link, to allow secure access from the Application Gateway.

References:

Ingress in Azure Container Apps
Khadeer Ali 4,710 Reputation points Microsoft External Staff

2025-03-24T18:09:15.1933333+00:00

@Dinesh Nimmagadda ,

Just following up to see if you had a chance to review my response.
Dinesh Nimmagadda 25 Reputation points

2025-03-24T18:39:08.6566667+00:00

hi @Khadeer Ali ,

I deployed the container in an internal network with a private link attached to a private DNS zone and also tried deploying it with a private endpoint. The main issue is that Container Apps do not accept traffic unless it originates from another Container App. However, when the ingress type is set to TCP, the application works, and the Application Gateway also shows a healthy status.

Our main goal is to use HTTP as the ingress type instead of TCP. When attempting to use a private link, we encountered a DNS resolution issue.
LeelaRajeshSayana-MSFT 17,521 Reputation points

2025-04-01T00:13:12.6333333+00:00

@Dinesh Nimmagadda Just checking in to see if the above information was helpful. If you have any further query or still seek assistance on this issue, do let us know. Thank you
LeelaRajeshSayana-MSFT 17,521 Reputation points

2025-04-02T20:01:06.23+00:00

@Dinesh Nimmagadda We still have not heard back from you. Just wanted to check if the above information was helpful? If you have any further query do let us know. Thank you

Answer 1

Hi Dinesh Nimmagadda,

Ensure a Private DNS Zone is set up for Azure Container Apps internal domain

Example: privatelink.azurecontainerapps.io

Link the Private DNS Zone to the Virtual Network where App Gateway lives

Optional: Deploy a VM or use Azure Bastion in same subnet to verify DNS resolution

Command: nslookup <your-internal-container-app-name>.azurecontainerapps.io

In Application Gateway:

Create a custom Health Probe
- Protocol: HTTP
- Port: 5464 (or your custom exposed port)
- Path: / (or your app's health endpoint)
- Host: <internal FQDN of your container app>
- Interval/Timeout: 30s/20s (or preferred settings)
Create a custom HTTP Setting
- Backend port: 5464
- Override host header: <internal FQDN of your container app>
- Use custom probe created above
Attach the container app's internal IP or FQDN as a backend pool target

Final check: Ensure NSG rules allow traffic between App Gateway subnet and Container App subnet on port 5464

Once all is wired correctly, Application Gateway should see backend as healthy and route traffic successfully. Let me know if any confusion in this.

Share via

Container App Not Accepting Http Traffic

1 answer

Your answer