Join Log in
Score:0
Isparia avatar Server

Connecting Private Container Apps Environment with Application Gateway

um flag
Isparia

im in a bit of a pickle right now. Right now i'm in the process of setting up a microservice heavy application in azure container apps.

The Container Apps Environment is located in its own subnet, and the apps running inside this environment need to communicated with each other but not all should be reachable from the Internet. So I set the Environment Up Like this:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "managedEnvironments_sample_test_containerapps_environment_name": {
            "defaultValue": "sample-test-containerapps-environment",
            "type": "String"
        },
        "virtualNetworks_container_apps_environment_test_externalid": {
            "defaultValue": "/subscriptions/subscriptionid/resourceGroups/sample-test/providers/Microsoft.Network/virtualNetworks/container-apps-environment-test",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.App/managedEnvironments",
            "apiVersion": "2022-06-01-preview",
            "name": "[parameters('managedEnvironments_sample_test_containerapps_environment_name')]",
            "location": "westeurope",
            "sku": {
                "name": "Consumption"
            },
            "properties": {
                "vnetConfiguration": {
                    "internal": true,
                    "infrastructureSubnetId": "[concat(parameters('virtualNetworks_container_apps_environment_test_externalid'), '/subnets/container-apps-environmen-infrastructure-subnet-test')]",
                    "dockerBridgeCidr": "10.2.0.1/16",
                    "platformReservedCidr": "10.1.0.0/16",
                    "platformReservedDnsIP": "10.1.0.2",
                    "outboundSettings": {
                        "outBoundType": "LoadBalancer"
                    }
                },
                "appLogsConfiguration": {
                    "destination": "log-analytics",
                    "logAnalyticsConfiguration": {
                        "customerId": ""
                    }
                },
                "zoneRedundant": false,
                "customDomainConfiguration": {}
            }
        }
    ]
}

Apps Inside the Environment are allowed to communicate between each other.

A sample Template for an App Running Inside this Environment:

{
    "id": "/subscriptions/subscriptionid/resourceGroups/sample-test/providers/Microsoft.App/containerapps/sample-container",
    "name": "sample-container",
    "type": "Microsoft.App/containerApps",
    "location": "West Europe",
    "systemData": {
        "createdBy": "[email protected]",
        "createdByType": "User",
        "createdAt": "2023-01-11T12:04:36.6607229",
        "lastModifiedBy": "[email protected]",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2023-01-24T16:06:00.7274607"
    },
    "properties": {
        "provisioningState": "Succeeded",
        "managedEnvironmentId": "/subscriptions/subscriptionid/resourceGroups/sample-test/providers/Microsoft.App/managedEnvironments/sample-test-containerapps-environment",
        "environmentId": "/subscriptions/subscriptionid/resourceGroups/sample-test/providers/Microsoft.App/managedEnvironments/sample-test-containerapps-environment",
        "workloadProfileType": null,
        "outboundIpAddresses": [
            "8.9.10.11"
        ],
        "latestRevisionName": "sample-container--lll1z5g",
        "latestRevisionFqdn": "sample-container--lll1z5g.yellowtree-00000000.westeurope.azurecontainerapps.io",
        "customDomainVerificationId": "",
        "configuration": {
            "secrets": [
                {
                    "name": "reg-pswd-57e46ccb-a998"
                }
            ],
            "activeRevisionsMode": "Multiple",
            "ingress": {
                "fqdn": "sample-container.yellowtree-00000000.westeurope.azurecontainerapps.io",
                "external": true,
                "targetPort": 80,
                "exposedPort": 0,
                "transport": "Auto",
                "traffic": [
                    {
                        "revisionName": "sample-container--lll1z5g",
                        "weight": 100
                    }
                ],
                "customDomains": null,
                "allowInsecure": true,
                "ipSecurityRestrictions": null
            },
            "registries": [
            ],
            "dapr": null,
            "maxInactiveRevisions": null
        },
        "template": {
            "revisionSuffix": "",
            "containers": [
                {
                    "image": "registry/integration/sample-container:9230",
                    "name": "sample-container",
                    "env": [
                    ],
                    "resources": {
                        "cpu": 0.25,
                        "memory": "0.5Gi",
                        "ephemeralStorage": "1Gi"
                    }
                }
            ],
            "initContainers": null,
            "scale": {
                "minReplicas": 1,
                "maxReplicas": 10,
                "rules": null
            },
            "volumes": null
        },
    }
}

For those Apps which need to be accessed over the internet i added an Application Gateway, located in the same VNet, but in a different Subnet, and Run now into multiple Problems, which all are related if i see this right.

The Application Gateway is unable to resolve the dns names of the apps for backend health checks and forwards. Since the dns resolution did not work, i tried to use the ip address which nslookup returned from inside the container apps environment, this healthcheck also fails.

Routing itself seems to work because when i use the containers ip address the health check succeeds, but this is not a solution because we need to scale on demand and the containers will change the ip addresses.

Has someone an idea how i could get this setup to work?

958
1 + 0
Score:0
Eric Grover avatar Server
eu flag
Eric Grover

You need to create a Private DNS Zone and create an A record for the container app that points to the ACA Environment Static IP. You also need specify "Pick host name from backend target" in your Backend settings.

+ 2
Eric Grover avatar
eu flag
Eric Grover
Also, create a custom health check.
0
Reply
Isparia avatar
um flag
Isparia
Thanks for the quick response, you where right it works with the private dns, but i had to specify the containerapp generated domain in the Backend Setting, instead of Pick host name from backend target
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.