Network proxying in Azure Container Apps
Azure Container Apps uses Envoy as a network proxy. Network requests are proxied in Azure Container Apps to achieve the following capabilities:
Allow apps to scale to zero: Running instances are required for direct calls to an application. If an app scales to zero, then a direct request would fail. With proxying, Azure Container Apps ensures calls to an app have running instances to resolve the request.
Achieve load balancing: As requests come in Azure Container Apps applies load balancing rules spread requests across container replicas.
Ports and routing
In Container Apps, Envoy listens the following ports to decide which container app to route traffic.
| Type | Request | IP type | Port number | Internal port number |
|---|---|---|---|---|
| Public | Endpoint | Public | 80 |
8080 |
| Public | VNET | Public | 443 |
4430 |
| Internal | Endpoint | Cluster | 80 |
8081 |
| Internal | VNET | Cluster | 443 |
8443 |
Requests that come in to ports 80 and 443 are internally routed to the appropriate internal port depending on the request type.
Security
- HTTP requests are automatically redirected to HTTPS
- You can disable this by setting
allowInsecuretotruein the ingress configuration
- You can disable this by setting
- TLS terminates at the ingress
- You can enable environment level network encryption for full end-to-end encryption for requests between the ingress and an app and between different apps.
HTTPS, gRPC, and HTTP/2 all follow the same architectural model.
Timeouts
Network requests timeout after four minutes
Feedback
Submit and view feedback for