Share via

Azure Container Apps with internal load balancer - 403 error

KrystianKrasucki-6994 0 Reputation points
2023-08-25T16:43:11.3233333+00:00

Hi!

I've been trying to deploy Container App in a Virtual Network and then connect it to the Application Gateway so that only the latter is publicly accessible, but I encountered many issues along the road.

I followed the tutorial: https://learn.microsoft.com/en-us/azure/container-apps/waf-app-gateway?tabs=default-domain but without creating DNS Zone, I've used Static IP of the Container Apps Environment instead which should work similarly to my understanding.

Default health-check defined in Application Gateway is being returned 403 Forbidden error by Container Apps (it is running the default Microsoft provided image for now), the same happens when I try to curl IP address of the Container Apps Environment from VM inside the Virtual Network. I've checked using Connection troubleshoot that the network connection between both Application Gateway and Container App Static IP and also VM and Container App Static IP is fine (there is a failure shown with "NSG Outbound (from source)" but I didn't create any NSG and the tool doesn't list any). Also I've tried different settings like both HTTP and HTTPS traffic in the listener/backend settings. Could provide me some information on how should I troubleshoot this issue? Thanks for your help in advance!

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,519 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,083 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
448 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2023-08-28T04:43:55.7466667+00:00

    Hello @KrystianKrasucki-6994 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to setup a private Azure Container App behind an Application Gateway so that it is only accessible via the Application gateway and not accessible directly.

    I see you've mentioned that you followed the below tutorial but without creating DNS zone:

    https://learn.microsoft.com/en-us/azure/container-apps/waf-app-gateway?tabs=default-domain

    As per Networking requirement, when using an internal Container Apps environment, you must create a private DNS zone that resolves the Container Apps environment's default domain to the static IP address of the Container Apps environment, or you can use your own DNS server.

    Without a private DNS zone or your own DNS server, the application gateway will not be able to resolve the FQDN of the internal Container Apps configured in its backend to the static IP address. Without this DNS binding, the Container Apps will not be accessible.

    Refer: https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli#dns

    So, to resolve this issue, you need to either create a private DNS zone or use your own DNS server.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.