Share via

Private Azure Container Apps Environment not reachable via Application URL or Swagger over P2S VPN (DNS Resolver + Private Ingress)

Abdelrhman Goma 115 Reputation points
2026-02-06T14:55:02.5633333+00:00

I’m running into an accessibility issue with a fully private Azure Container Apps Environment and would appreciate guidance on what architectural piece is missing or misconfigured.

High-level architecture

Hub-Spoke network model

Hub VNet

  • Contains:
    • VPN Gateway (P2S)
    • Azure DNS Private Resolver (inbound/outbound endpoints)
    Acts as shared networking hub

Spoke VNet (Production workloads)

Azure Container Apps Environment (Consumption, fully private)

Azure Container Apps (private ingress)

All PaaS services using Private Endpoints only:

Redis

  Kafka
  
     MySQL Flexible Server
     
        Storage Account
        
        No public endpoints anywhere

Connectivity

Hub ↔ Spoke VNet peering (bi-directional)

Spoke uses Use remote gateway = Yes

Hub does not use remote gateway

VPN P2S users connect successfully and can reach other private resources

DNS resolution is handled via Azure DNS Private Resolver in the hub VNet, forwarding to Azure Private DNS zones.

Container Apps specifics

  • Azure Container Apps Environment is Internal

Ingress is limited to VNet only

Application URLs are created automatically by Azure

Swagger endpoints are exposed via HTTPS

No custom domain yet (Premium CDN planned later)

When deploying the private CAE, Azure automatically created an internal Standard Load Balancer:

Load Balancer

Frontend IP (private): 10.60.2.113

Backend pool: 2 IPs (managed infrastructure)

Rules:

Port 80 → backend 31080 (envoy-http)

  Port 443 → backend 31443 (envoy-https)
  
  Health probes are healthy

The problem

Despite:

VPN P2S working correctly

Correct VNet peering

DNS Private Resolver deployed

Container Apps ingress restricted to VNet

Load balancer healthy

I cannot access:

The Container App Application URL

Swagger endpoints of backend services

This happens even from VPN-connected clients, which can access other private PaaS resources successfully.

What I’m trying to understand

  1. How is DNS supposed to work for private Container Apps?
    • Should the default *.azurecontainerapps.io hostname resolve privately?
    • Do I need to create and link a Private DNS Zone manually for Container Apps?
  2. Is the automatically created internal Load Balancer sufficient, or do I need:
    • An Application Gateway / Azure Front Door (Private Link)?
    • Custom DNS records pointing to the LB frontend IP?
  3. Are there any known gotchas with:
    • DNS Private Resolver + CAE
    • VNet-limited ingress
    • P2S VPN access to private CAE

Goal

I want:

A secure, private backend

Frontend reachable by end users (later via Premium CDN / Front Door)

Backend services (Swagger, APIs) reachable internally via VPN

No public exposure of Container Apps

What is the correct reference architecture for this scenario, and what am I missing in my current setup?I’m running into an accessibility issue with a fully private Azure Container Apps Environment and would appreciate guidance on what architectural piece is missing or misconfigured.

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 10,715 Reputation points Microsoft External Staff Moderator
    2026-02-07T04:52:37.43+00:00

    Hello Abdelrhman Goma

    It looks like you're having difficulty accessing your Azure Container Apps Environment through the Application URL and Swagger when connected to a P2S VPN. Here are some key points and suggestions:

    • To have a fully private Azure Container Apps environment, you need to configure DNS resolution correctly. By default, the *.azurecontainerapps.io hostname won't resolve privately unless you set it up as needed.
    • It's usually necessary to create and link a Private DNS Zone so the Container App's domain can resolve within your private network.
    • The internal load balancer that Azure automatically sets up for your environment should be adequate for managing incoming traffic, provided the networking settings are configured properly.
    • If you need more advanced routing or plan to handle external traffic more effectively in the future, you might want to use Application Gateway or Azure Front Door, as these services offer extra features.
    • Make sure your NSGs associated with both the Hub and Spoke VNets allow traffic on the necessary ports (e.g., 80 and 443). Not allowing certain required traffic can cause accessibility issues.
    • Verify that your Container Apps environment is indeed integrated with the correct VNet and that there is no misconfiguration preventing proper routing of the VPN traffic.
    • Since you mentioned that DNS resolution is via Azure DNS Private Resolver, ensure that it correctly forwards DNS requests to your Private DNS zones.

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Q&A Assist
    2026-02-06T14:55:17.5333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To address your accessibility issue with the fully private Azure Container Apps Environment, here are some insights and recommendations based on your architecture and configuration:

    1. DNS Resolution for Private Container Apps:
      • The default *.azurecontainerapps.io hostname does not resolve privately by default. You will need to create and link a Private DNS Zone manually for your Container Apps. This setup allows the private endpoint to resolve correctly within your virtual network.
    2. Load Balancer Configuration:
      • The automatically created internal Load Balancer should suffice for routing traffic to your Azure Container Apps, provided that the backend services are correctly configured. However, if you require more advanced features like SSL termination or web application firewall capabilities, consider integrating an Application Gateway or Azure Front Door with Private Link.
      • You may also need to create custom DNS records pointing to the Load Balancer's frontend IP to ensure that your applications can be accessed via the expected URLs.
    3. Known Gotchas:
      • Ensure that your DNS Private Resolver is correctly configured to forward requests to the Azure Private DNS zones. Misconfigurations here can lead to resolution failures.
      • Check the VNet-limited ingress settings to confirm that they are correctly set to allow traffic from your VPN clients.
      • Verify that the P2S VPN configuration allows access to the private endpoints of your Container Apps and that there are no firewall rules blocking this access.
    4. Reference Architecture:
      • For a secure, private backend with frontend accessibility, consider using a combination of Azure Private Link for the backend services, an internal Load Balancer for routing, and a custom DNS setup to manage hostname resolution. The frontend can be exposed later via Azure Front Door or Premium CDN as planned.

    By addressing these aspects, you should be able to resolve the accessibility issues you are facing with your Azure Container Apps Environment.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.