Access your application in a private network


Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ✔️ Basic/Standard tier ✔️ Enterprise tier

This article explains how to access an endpoint for your application in a private network.

When Assign Endpoint on applications in an Azure Spring Apps service instance is deployed in your virtual network, the endpoint is a private fully qualified domain name (FQDN). The domain is only accessible in the private network. Apps and services use the application endpoint. They include the Test Endpoint described in View apps and deployments. Log streaming, described in Stream Azure Spring Apps app logs in real-time, also works only within the private network.

Find the IP for your application

  1. Select the virtual network resource you created as explained in Deploy Azure Spring Apps in your Azure virtual network (VNet injection).

  2. In the Connected devices search box, enter kubernetes-internal.

  3. In the filtered result, find the Device connected to the service runtime Subnet of the service instance, and copy its IP Address. In this sample, the IP Address is

    Create DNS record

Add a DNS for the IP

If you have your own DNS solution for your virtual network, like Active Directory Domain Controller, Infoblox, or another, you need to point the domain * to the IP address. Otherwise, you can follow the following instructions to create an Azure Private DNS Zone in your subscription to translate/resolve the private fully qualified domain name (FQDN) to its IP address.


If you are using Azure China, please replace with in this article. Learn more about Check Endpoints in Azure.

Create a private DNS zone

The following procedure creates a private DNS zone for an application in the private network.

  1. Open the Azure portal. From the top search box, search for Private DNS zones, and select Private DNS zones from the results.

  2. On the Private DNS zones page, select Add.

  3. Fill out the form on the Create Private DNS zone page. Enter as the Name of the zone.

  4. Select Review + Create.

  5. Select Create.

It may take a few minutes to create the zone.

To link the private DNS zone to the virtual network, you need to create a virtual network link.

  1. Select the private DNS zone resource created above:

  2. On the left pane, select Virtual network links, then select Add.

  3. Enter azure-spring-apps-dns-link for the Link name.

  4. For Virtual network, select the virtual network you created as explained in Deploy Azure Spring Apps in your Azure virtual network (VNet injection).

    Add virtual network link

  5. Select OK.

Create DNS record

To use the private DNS zone to translate/resolve DNS, you must create an "A" type record in the zone.

  1. Select the private DNS zone resource created above:

  2. Select Record set.

  3. In Add record set, enter or select this information:

    Setting Value
    Name Enter *
    Type Select A
    TTL Enter 1
    TTL unit Select Hours
    IP address Enter the IP address copied in step 3. In the sample, the IP is
  4. Select OK.

    Add private DNS zone record

Assign private FQDN for your application

After following the procedure in Deploy Azure Spring Apps in a virtual network, you can assign a private FQDN for your application.

  1. Select the Azure Spring Apps service instance deployed in your virtual network, and open the Apps tab in the menu on the left.

  2. Select the application to show the Overview page.

  3. Select Assign Endpoint to assign a private FQDN to your application. Assigning an FQDN can take a few minutes.

    Assign private endpoint

  4. The assigned private FQDN (labeled URL) is now available. It can only be accessed within the private network, but not on the Internet.

Access application private FQDN

After the assignment, you can access the application's private FQDN in the private network. For example, you can create a jumpbox machine in the same virtual network, or a peered virtual network. Then, on that jumpbox or virtual machine, the private FQDN is accessible.

Access private endpoint in vnet

Clean up resources

If you plan to continue working with subsequent articles, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following command:

az group delete --name $RESOURCE_GROUP

Next steps