VNet-Integrated Deployment Support for AzUrlShortener Container App via Private Endpoint

Question

VNet-Integrated Deployment Support for AzUrlShortener Container App via Private Endpoint

Sharma, Ritika 345

We want to deploy the AzUrlShortener container app in the production environment with VNet integration, so that it can access resources (Storage Account) through Private Endpoints with public access disabled.

Are there any changes required in the existing Bicep deployment template to support VNet integration for the Container App Environment, or can this configuration be handled after deployment in portal only?

Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-03-18T11:08:21.8366667+00:00

Hello Sharma, Ritika,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sharma, Ritika 345 Reputation points

2026-03-26T05:13:30.3833333+00:00

Please confirm whether enabling public network access ensures connectivity between the Storage Account and the Container App in my scenario.

Also, could you explain what potential issues or risks we might face if we keep public network access enabled instead of using a private endpoint route?

2 answers

Your answer

Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-03-18T11:08:21.8366667+00:00

Hello Sharma, Ritika,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sharma, Ritika 345 Reputation points

2026-03-26T05:13:30.3833333+00:00

Please confirm whether enabling public network access ensures connectivity between the Storage Account and the Container App in my scenario.

Also, could you explain what potential issues or risks we might face if we keep public network access enabled instead of using a private endpoint route?

Answer 1

Praveen Kumar Gudipudi 2,280 Microsoft External Staff Moderator

Hello Sharma, Ritika,

To get your AzUrlShortener Container App talking to a Storage Account over private endpoints with public access off, you’ll need to bake the VNet integration into your Container App Environment at deployment time. You can’t retrofit a completely new VNet into an existing environment via the portal alone. Here’s what you should do:

Use a workload-profiles Container App Environment • Consumption-only environments don’t support VNet integration – make sure you’re on a “Workload profiles” (dedicated) plan.
Update your Bicep template on the Microsoft.App/managedEnvironments resource to include vnetConfiguration and disable public access:

resource env 'Microsoft.App/managedEnvironments@2023-06-01' = {
  name: envName
  location: location
  properties: {
    // Disable public network access so only your VNet + private endpoints can talk to this env
    publicNetworkAccess: 'Disabled'
    // VNet integration settings
    vnetConfiguration: {
      infrastructureSubnetId: resourceId('MyRg','Microsoft.Network/virtualNetworks/subnets','myVnet','infrastructure-subnet')
      appSubnetIds: [
        resourceId('MyRg','Microsoft.Network/virtualNetworks/subnets','myVnet','app-subnet')
      ]
    }
    // Optional: internal load balancer if you want fully internal ingress
    internalLoadBalancer: {
      enabled: true
    }
  }
}

Deploy that updated Bicep. This creates an environment that’s already wired into your VNet subnets.
In the same or a follow-up Bicep/CLI/template, deploy your container app into that environment.
Configure the Storage Account with a private endpoint in the same VNet, disable its public access, and ensure your VNet’s private DNS zone is resolving the storage account FQDN.

After doing the above, your AzUrlShortener app will be able to reach the storage account over the private link, and nothing externally will be exposed.

Follow-ups if you hit any snags: • Are you already on a workload-profiles environment or on consumption-only? • Can you share your current Bicep snippet for the managedEnvironment resource? • How have you set up your subnets / NSG – do you have the required allow-list for Azure platform traffic? • Have you configured the private DNS zone and linked it to your VNet so that the storage account’s privatelink zone resolves?

Reference list • Provide a virtual network to an Azure Container Apps environment (Bicep) – https://aka.ms/container-apps-vnet-custom-bicep

• How to use private endpoints with Container Apps – https://aka.ms/container-apps-private-endpoint

• Securing a custom VNet in Azure Container Apps – https://aka.ms/container-apps-firewall-integration

• Integrate your App Service with a VNet (Windows Containers guidance) – https://aka.ms/appservice-vnet-integration

Networking in Azure Container Apps environment

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

Sharma, Ritika 345 Reputation points

2026-03-11T10:36:57.0333333+00:00

After deploying with these changes, this public network access (for storage account) shall be disabled and there shall be no issues disabling it. Right?
Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-03-11T10:53:40.14+00:00

Hello Sharma, Ritika,

Yes, that’s correct — you can disable Public Network Access on the Storage Account, but only after confirming the Private Endpoint and DNS configuration are working correctly.
Sharma, Ritika 345 Reputation points

2026-03-16T10:39:30.1333333+00:00

How to test that the Private Endpoint and DNS configuration are working correctly? before disabling public network now. I have settled up PE and DNS configuration, but when I try to disable public network access the shortener stops to work.
Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-03-16T11:24:10.82+00:00
Hello Sharma, Ritika,

Please follow below order,

Create Private Endpoint

Configure Private DNS zone

Link DNS zone to the VNet

Test DNS resolution (must return private IP)

Test HTTPS connectivity on port 443

Then disable Public Network Access
Sharma, Ritika 345 Reputation points

2026-03-26T05:19:51.7633333+00:00

Hi please confirm, this communication is strictly between two Azure resources —the Container App and the Storage Account. There is no direct end-user access to the Storage Account, as all interactions are routed through the Container App.
Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-03-27T11:47:57.47+00:00
Yes, correct.

In your architecture, the communication is only between the Container App and the Storage Account. End users interact with the Container App endpoint, and the application internally performs all required operations (such as storing or retrieving data) on the Storage Account.

This means:

End users → Container App: Users access the application through the Container App's public endpoint.

Container App → Storage Account: The application communicates with the Storage Account as a backend dependency.

No direct user access to Storage: The Storage Account is not exposed to end users, and all interactions with it are mediated by the Container App.

When a Private Endpoint is configured for the Storage Account and DNS resolution is correctly set up, the communication between the Container App and the Storage Account occurs over the private network within the VNet.

Therefore, once the Private Endpoint and DNS configuration are verified to be working correctly, you can disable Public Network Access on the Storage Account. The Container App should continue to access the Storage Account through the private endpoint without impacting end-user functionality.
Sharma, Ritika 345 Reputation points

2026-04-06T09:07:49+00:00

As suggested, I have implemented VNet integration in the Bicep template for the Container App environment and deployed it via the Azure Portal.

On the Storage Account, I’m currently able to set the network access to “Public enabled from selected networks (VNet)”. Could you please guide me on how to completely disable public access?
Praveen Kumar Gudipudi 2,280 Reputation points Microsoft External Staff Moderator

2026-04-07T17:53:07.96+00:00

Hello Sharma, Ritika,

After configuring the VNet integration for the Container App Environment and creating the Private Endpoint for the Storage Account, you can fully disable public access from the Storage Account settings.

In the Azure portal, navigate to the Azure Storage Account → Networking → Firewalls and virtual networks. Under Public network access, change the setting to Disabled and save the configuration. Once this is applied, the storage account will only be accessible through the configured Azure Private Endpoint and traffic from the public internet will be blocked.

Before disabling public access, make sure the private connectivity is working correctly. Verify that the private endpoint is approved and that the Private DNS zone is linked to the VNet used by the Azure Container Apps environment. You can test this by confirming that the storage account FQDN resolves to a private IP address (for example, 10.x.x.x or 172.x.x.x) from within the VNet.

If DNS resolution points to the private endpoint and HTTPS connectivity on port 443 is successful, the Container App will continue to access the Storage Account through the private network without requiring public access.

In this architecture, end users only interact with the Container App endpoint, while the Container App communicates with the Storage Account internally through the private endpoint.

Answer 2

VNet integration and private endpoint support for Azure Container Apps environments is determined at environment creation time and by the environment type, so changes are required in the Bicep template rather than only in the portal after deployment.

Key points from the context:

Environment type and VNet requirements
- Private endpoints are only supported for workload profile environments (the default for new environments).
- When using an existing VNet, a dedicated subnet must be provided for the Container Apps environment, and for workload profiles the minimum subnet size is /27.
- Once an environment is created with either the default Azure network or an existing VNet, the network type cannot be changed later.
Private endpoints and disabled public access
- To use a private endpoint on the Container Apps environment, public network access must be disabled on that environment.
- This can be done via CLI or portal, but in an IaC scenario it should be expressed in Bicep (for example, by updating the environment with --public-network-access Disabled as shown in the CLI flow).
VNet and private endpoint setup
- For the scenario where the container app must reach a Storage Account via private endpoint with public access disabled, the infrastructure must include:
  - A VNet with appropriate subnets (one for the Container Apps environment, and one for the storage private endpoint if following the deployment-script example).
  - A Storage Account with public network access disabled.
  - A private endpoint for the Storage Account in the VNet.
  - A private DNS zone for the Storage Account’s private endpoint and a link to the VNet.
What must be in Bicep vs. portal
- Because the Container Apps environment’s VNet integration and subnet and the environment type are fixed at creation, these must be modeled in the Bicep template. They cannot be retrofitted purely via portal after the environment exists.
- Disabling public network access and enabling private endpoints on the Container Apps environment can be done via CLI/portal, but for a repeatable production deployment they should also be represented in Bicep.
- The Storage Account, its private endpoint, and the required private DNS zone should likewise be defined in Bicep to ensure the container app can resolve and reach the Storage Account privately.

Therefore, to support VNet integration and private endpoint–based access for the AzUrlShortener container app in production, the existing Bicep deployment template must be updated to:

Create or reference a VNet and dedicated subnet sized at least /27 for the Container Apps environment (workload profile environment).
Create the Container Apps environment integrated with that subnet (network type set at creation).
Disable public network access on the Container Apps environment and enable private endpoints for it.
Create the Storage Account with public network access disabled, plus its private endpoint and private DNS zone configuration.

This cannot be fully handled after deployment in the portal alone if the environment was originally created without VNet integration or with the wrong environment type.

References:

Share via

VNet-Integrated Deployment Support for AzUrlShortener Container App via Private Endpoint

2 answers

Your answer