![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 77%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Sidecar containers in Azure App Service share the same network stack as the main app container. When App Service regional VNet Integration is configured, outbound traffic from the app is routed according to the VNet integration routing settings, including peered VNets, but there are current limitations and requirements that can affect this scenario.
From the available information:
- Sidecar support and limitations
- Sidecars are supported for Linux apps, including custom containers, but there are platform limitations: App Service Environment (ASE) and national clouds may not be supported yet, and networking is simplified so that all containers share
localhostand must use unique ports. - Storage and networking features are more limited than in Docker Compose; all containers share the same host network, and there is no per-container VNet configuration.
- Sidecars are supported for Linux apps, including custom containers, but there are platform limitations: App Service Environment (ASE) and national clouds may not be supported yet, and networking is simplified so that all containers share
- VNet Integration routing behavior
- With regional VNet Integration enabled, outbound routing is controlled by the
outboundVnetRoutingproperties:-
outboundVnetRouting.allTraffic=trueroutes all outbound traffic (application + configuration) through the integrated VNet. -
outboundVnetRouting.applicationTraffic=trueroutes only application traffic through the VNet; configuration traffic (image pulls, content share, backup, etc.) can be selectively routed using the individual configuration routing flags.
-
- The same routing applies to all containers in the App Service (main and sidecars), because they share the app’s network context.
- With regional VNet Integration enabled, outbound routing is controlled by the
- What this implies for sidecar egress to a peered VNet
- There is no separate or additional VNet Integration configuration for sidecars; they use the same VNet integration and routing as the main app container.
- If a VM in the same integration VNet can reach the private MySQL in a peered VNet, but the App Service containers time out, the issue is likely in one of these areas rather than a lack of sidecar support:
- Peering configuration (missing or asymmetric “Allow forwarded traffic” / “Allow traffic from remote VNet” settings).
- NSG or firewall rules on the integration subnet, peered VNet subnet, or MySQL instance that treat App Service delegated subnet traffic differently from the VM subnet.
- Route tables (UDRs) applied to the integration subnet or peered VNet subnet that affect App Service traffic differently.
- The platform doesn’t expose a separate control to enable egress only for sidecars; if the main container can reach the destination over VNet Integration, sidecars should be able to as well.
- Additional tooling
- For App Service, the Network troubleshooter under Diagnostic and solve problem can be used to validate VNet Integration and routing, but note that the “connection issues” scenario does not yet support Linux or container-based apps. Configuration checks (subnet validity, deletion issues) are still available and can help confirm that the integration subnet is correctly configured.
Summary:
- Sidecar egress over App Service VNet Integration is supported and uses the same routing as the main app container; there is no extra sidecar-specific configuration flag.
- Timeouts to a peered VNet when
outboundVnetRouting.allTraffic=trueis set usually indicate a peering, NSG, firewall, or route-table issue rather than a sidecar limitation.
References: