Container Environment type: Consumption only and Workload profile

Question

Container Environment type: Consumption only and Workload profile

Đỗ Hoàng Minh Hưng 50

In this article: https://learn.microsoft.com/en-us/azure/container-apps/environment (dated 05/02/2025), I saw that Azure Container Apps (ACA) offers two separate environment workload types:

Consumption only

Workload profile

Each type has a different way of controlling network access with a Network Security Group (NSG): https://learn.microsoft.com/en-us/azure/container-apps/firewall-integration?tabs=workload-profiles#nsg-allow-rules

However, I can no longer create a new ACA environment using the Consumption only type. It always shows a result like in the image, even when I leave everything as default.

I would like to understand how to apply NSG rules to an ACA environment when the default type appears to be Workload profile (as shown in the properties).

User's image

Accepted answer

1 additional answer

Your answer

Answer 1

Arko 4,150 Microsoft External Staff Moderator

Hello Đỗ Hoàng Minh Hưng,

As of May 2025, Microsoft removed the "Consumption-only" (v1) environment option from the Azure Portal UI. Now, every new ACA environment created via the portal defaults to the "Workload Profiles" (v2) model and includes a Consumption profile by default (screenshot 1 confirms this behavior).

This is by design and is documented here: Environment types in ACA

How to Restrict Access Using NSG with Workload Profiles?

Ans- You're still fully able to control public traffic using NSG rules, even under the newer Workload Profiles environment.

I tested this exact scenario by creating a VNet-injected ACA environment with a public endpoint. Deployed a container app to it. Applied NSG rules to the subnet. Allow only my own IP on ports 80/443. Deny all others

Result: Access from other IPs was blocked successfully even though the app was public. This behavior is confirmed by Microsoft here: Firewall integration via NSG (Workload Profiles)

So even though your ACA is public (as shown in your screenshot), the NSG on the subnet still controls access effectively.

Want to Use Legacy "Consumption-only" (v1) Environment?
Ans- You won’t find it in the Portal anymore, but you can still create it using Azure CLI.

az containerapp env create \
  --name aca-env-consumption-v1 \
  --resource-group arkorg \
  --location eastus \
  --infrastructure-subnet-resource-id <subnet-id-for-/23-subnet> \
  --enable-workload-profiles false

Note- You must use a subnet with at least a /23 address range for v1 to work.

aca8

aca9

Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-05-29T06:06:37.11+00:00

Đỗ Hoàng Minh Hưng hope I was able to clear your query here. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-05-30T07:15:05.0966667+00:00

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Đỗ Hoàng Minh Hưng 50 Reputation points

2025-06-02T02:31:07.1833333+00:00

I did it before, but my NSG (which is attached to the container subnet) did not work.
I have to use the ingress's IP Restrictions to limit access.

My ingress traffic is set to Accepting traffic from anywhere, and my ACA environment is set to Enable: Allow incoming traffic from the public internet.

Here is my ACA environment network setting.

I wanna keep the setting and use my NSG.
TP 125.5K Reputation points Volunteer Moderator

2025-06-02T02:46:44.9366667+00:00

@Đỗ Hoàng Minh Hưng When you enable Public network access, you cannot limit the incoming Internet traffic using your NSG. See screenshot from documentation below:
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-04T16:44:24.59+00:00

Hello Đỗ Hoàng Minh Hưng,

when your Container App is configured with public ingress enabled, and your ACA environment is also set to allow public access, NSG rules on the subnet will not apply. This is because traffic enters directly through Azure Container Apps' public endpoint, bypassing the subnet-level NSG completely.

This is documented here: https://learn.microsoft.com/en-us/azure/container-apps/firewall-integration?tabs=workload-profiles#nsg-allow-rules

"If your container apps are set to accept traffic from the public internet, incoming traffic goes through the public endpoint instead of the virtual network."*

*
If you want NSG rules to apply and still have public access, there are two valid approaches:

Option 1: Use Ingress Internal + Your Own Public Load Balancer
or
Option 2: Use Ingress IP Restrictions (Simpler)

Unfortunately, there's no supported way to make NSG rules work when ingress is set to public. If NSG control is critical, then internal ingress + a custom load balancer is the way to go.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-09T04:47:27.76+00:00

Hello Đỗ Hoàng Minh Hưng, hope I was able to clear your follow up query. It would be great if you could kindly mark the answer as accepted as this helps others having similar query can refer to this post. Thanks

Answer 2

Hi,

What you are seeing is expected.

The default now is to create a Workload profiles (v2) environment, which includes a Consumption profile by default. This gives you the flexibility of the older Consumption-only (v1) with the benefit of being able to add Dedicated profile in the future (if you need it).

Please see two articles below for more information and FAQ:

Compute and billing structures in Azure Container Apps

https://learn.microsoft.com/en-us/azure/container-apps/structure

Consumption-only environment type in Azure Container Apps

https://learn.microsoft.com/en-us/azure/container-apps/environment-type-consumption-only

In regards to networking/NSG, that will depend on if you choose to integrate with your own VNet when you create the Container App/environment. If you choose to integrate with VNet you will have ability to configure NSG rules as described in the article you referenced.

Please note if you choose to integrate with your own VNet there will be an additional resource group created with infrastructure resources (e.g. load balancer, public IP) that will incur separate costs.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Đỗ Hoàng Minh Hưng 50 Reputation points

2025-05-22T10:40:16.72+00:00

I do integrate my Container environment within Vnet. But do the public access.
My network settings shown in the image

In summary, I wanna create a public ACA and wanna limit access to it using NSG. How can I do that if the default type is Workload profile?

How could I create an ACA with Consumption-only? I did not see the option Consumption-only in the Azure portal.

Share via

Container Environment type: Consumption only and Workload profile

1 additional answer

Your answer