Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space and is typically configured with a private DNS zone.
Private endpoints are supported for both Consumption and Dedicated plans in workload profile environments.
Tutorials
- To learn more about how to configure private endpoints in Azure Container Apps, see the Use a private endpoint with an Azure Container Apps environment tutorial.
- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to create a private link with Azure Front Door for more information.
Considerations
- To use a private endpoint, you must disable public network access. By default, public network access is enabled, which means private endpoints are disabled.
- To use a private endpoint with a custom ___domain and an Apex ___domain as the Hostname record type, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom ___domain with CNAME, the setup is unchanged. For more information, see Set up custom ___domain with existing certificate.
- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
- You can add a private endpoint to both new and existing workload profile environments.
In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
| Service | subresource | Private DNS zone name |
|---|---|---|
| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
You can also use private endpoints with a private connection to Azure Front Door in place of Application Gateway.
DNS
Configuring DNS in your Azure Container Apps environment's virtual network is important for the following reasons:
DNS lets your container apps resolve ___domain names to IP addresses. This allows them to discover and communicate with services within and outside the virtual network. This includes services like Azure Application Gateway, Network Security Groups, and private endpoints.
Custom DNS settings enhance security by letting you control and monitor the DNS queries made by your container apps. This helps to identify and mitigate potential security threats, by ensuring your container apps only communicate with trusted domains.
Custom DNS
If your VNet uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to 168.63.129.16. Azure recursive resolvers uses this IP address to resolve requests. When configuring your network security group (NSG) or firewall, don't block the 168.63.129.16 address, otherwise, your Container Apps environment won't function correctly.
VNet-scope ingress
If you plan to use VNet-scope ingress in an internal environment, configure your domains in one of the following ways:
Non-custom domains: If you don't plan to use a custom ___domain, create a private DNS zone that resolves the Container Apps environment's default ___domain to the static IP address of the Container Apps environment. You can use Azure Private DNS or your own DNS server. If you use Azure Private DNS, create a private DNS Zone named as the Container App environment’s default ___domain (
<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io), with anArecord. TheArecord contains the name*<DNS Suffix>and the static IP address of the Container Apps environment. For more information see Create and configure an Azure Private DNS zone.Custom domains: If you plan to use custom domains and are using an external Container Apps environment, use a publicly resolvable ___domain to add a custom ___domain and certificate to the container app. If you are using an internal Container Apps environment, there is no validation for the DNS binding, as the cluster is only available from within the virtual network. Additionally, create a private DNS zone that resolves the apex ___domain to the static IP address of the Container Apps environment. You can use Azure Private DNS or your own DNS server. If you use Azure Private DNS, create a Private DNS Zone named as the apex ___domain, with an
Arecord that points to the static IP address of the Container Apps environment.
The static IP address of the Container Apps environment is available in the Azure portal in Custom DNS suffix of the container app page or using the Azure CLI az containerapp env list command.