Share via

Container App ingress with a network security group applied to it

AzureRACO 20 Reputation points
2026-02-23T12:11:13.85+00:00

I'm not sure is this is even possible, or whether we need to go down a different road, but we have a collection of container apps running in a single container app environment (using dapr to talk to each other when needed).

I'd like to allow access to these apps from public addresses (a third-party company, for example). We already have a vnet and a subnet for the app environment (plus subnets for the database and everything else).

Is it possible to define a specific set of seperate container apps to be accessible to the outside world whilst applying a network security group to filter those request?

Having applied my work IP to the container app, I can filter on the ingress in the app itself but making it purely public allows everything (and thus the NSG is ignored), and changing to be vnet-only removes any access whatsoever.

Would an application gateway be better here, or is that not designed for multiple container apps? In which case, are we stuck with a costly APIM instead?

Azure Container Apps
Azure Container Apps

An Azure service that provides a general-purpose, serverless container platform.

Answer accepted by question author
  1. Pravallika KV 10,720 Reputation points Microsoft External Staff Moderator
    2026-02-23T12:53:19.0166667+00:00

    Hi @AzureRACO ,

    Thanks for reaching out to Microsoft Q&A.

    There is no supported way to:

    • Keep ACA ingress public
    • AND apply subnet NSGs
    • AND selectively expose apps

    Microsoft explicitly states inbound NSGs don't apply to public ACA ingress.

    To allow public access while controlling it:

    1. Convert ACA environment to Internal
    2. Deploy Application Gateway v2 (WAF optional)
    3. Expose only required apps via:
      • Host-based routing or
      • Path-based routing
    4. Apply:
    • NSGs to App Gateway subnet
    • WAF/IP rules at the gateway

    References:

    Protect Azure Container Apps with Web Application Firewall on Application Gateway

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-23T12:11:28.61+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, it is possible to configure Azure Container Apps to allow access from public addresses while applying a Network Security Group (NSG) to filter those requests. You can achieve this by using a combination of ingress settings and NSGs to control the traffic flow to your container apps.

    Here’s how you can approach this:

    1. Ingress Configuration: You can configure your container apps with external ingress to accept traffic from the public internet. This allows you to expose specific container apps to the outside world.
    2. Network Security Group (NSG): Apply an NSG to the subnet where your container apps are deployed. The NSG can be configured to allow or deny traffic based on your requirements, such as allowing only specific IP addresses (like your work IP) while blocking others.
    3. Application Gateway: Using an Application Gateway can also be beneficial. It can provide additional features such as load balancing, SSL termination, and Web Application Firewall (WAF) capabilities. This can help manage traffic to multiple container apps more effectively than relying solely on NSGs.
    4. Private Endpoints: If you want to eliminate public internet exposure, consider using private endpoints for your container apps. This way, you can restrict access to your apps to only those resources within your virtual network.

    In summary, you can use a combination of external ingress, NSGs, and potentially an Application Gateway to manage access to your container apps effectively. This setup allows you to maintain security while providing necessary access to external parties.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.