Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Azure Container Apps allows you to expose your container app to the public web, your virtual network (VNET), and other container apps within your environment by enabling ingress. Ingress settings are enforced through a set of rules that control the routing of external and internal traffic to your container app. When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTP requests or TCP traffic.
Ingress supports:
Example ingress configuration showing ingress split between two revisions:
For configuration details, see Configure ingress.
When you enable ingress, you can choose between two types of ingress:
Each container app within an environment can be configured with different ingress settings. For example, in a scenario with multiple microservice apps, to increase security you might have a single container app that receives public requests and passes the requests to a background service. In this scenario, you would configure the public-facing container app with external ingress and the internal-facing container app with internal ingress.
Container Apps supports two protocols for ingress: HTTP and TCP.
With HTTP ingress enabled, your container app has:
HTTP ingress adds headers to pass metadata about the client request to your container app. For example, the X-Forwarded-Proto
header is used to identify the protocol that the client used to connect with the Container Apps service. The following table lists the HTTP headers that are relevant to ingress in Container Apps:
Header | Description | Values |
---|---|---|
X-Forwarded-Proto |
Protocol used by the client to connect with the Container Apps service. | http or https |
X-Forwarded-For |
The IP address of the client that sent the request. | |
X-Forwarded-Host |
The host name the client used to connect with the Container Apps service. | |
X-Forwarded-Client-Cert |
The client certificate if clientCertificateMode is set. |
Semicolon separated list of Hash, Cert, and Chain. For example: Hash=....;Cert="...";Chain="..."; |
Container Apps supports TCP-based protocols other than HTTP or HTTPS. For example, you can use TCP ingress to expose a container app that uses the Redis protocol.
Note
External TCP ingress is only supported for Container Apps environments that use a custom VNET. TCP ingress is not supported for apps that accept inbound traffic through a private endpoint.
With TCP ingress enabled, your container app:
name
property in the Container Apps resource) and exposed port number.external
.In addition to the main HTTP/TCP port for your container apps, you might expose additional TCP ports to enable applications that accept TCP connections on multiple ports.
Note
To use this feature, you must have the container apps CLI extension. Run az extension add -n containerapp
in order to install the latest version of the container apps CLI extension.
The following apply to additional TCP ports:
Visit the how to article on ingress for more information on how to enable additional ports for your container apps.
You can access your app in the following ways:
To get the FQDN for your app, see Location.
Container Apps supports IP restrictions for ingress. You can create rules to either configure IP addresses that are allowed or denied access to your container app. For more information, see Configure IP restrictions.
Azure Container Apps provides built-in authentication and authorization features to secure your external ingress-enabled container app. For more information, see Authentication and authorization in Azure Container Apps.
You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see Configure client certificates.
For details on how to use peer-to-peer environment level network encryption, see the networking overview.
Containers Apps allows you to split incoming traffic between active revisions. When you define a splitting rule, you assign the percentage of inbound traffic to go to different revisions. For more information, see Traffic splitting.
Session affinity, also known as sticky sessions, is a feature that allows you to route all HTTP requests from a client to the same container app replica. This feature is useful for stateful applications that require a consistent connection to the same replica. For more information, see Session affinity.
By default, any requests made through the browser from a page to a domain that doesn't match the page's origin domain are blocked. To avoid this restriction for services deployed to Container Apps, you can enable cross-origin resource sharing (CORS).
For more information, see Configure CORS in Azure Container Apps.
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Scale and manage deployed container apps - Training
This module addresses the concept of revisions in Azure Container Apps and discusses options for application lifecycle management. It also covers scaling choices and ingress settings, including traffic splitting for Azure Container Apps.
Certification
Microsoft Certified: Azure Network Engineer Associate - Certifications
Demonstrate the design, implementation, and maintenance of Azure networking infrastructure, load balancing traffic, network routing, and more.
Documentation
Configure Ingress for your app in Azure Container Apps
How to configure ingress for your container app
Networking in Azure Container Apps environment
Learn how to configure virtual networks in Azure Container Apps.
Set up IP ingress restrictions in Azure Container Apps
Enable IP restrictions to limit access to your app with Azure Container Apps.