2

I'm a little new to azure networking so this might be obvious but I'm kind of stuck.

I've created an azure VNET. Inside that I've setup a P2S gateway which seems to work fine. I can connect to it and once connected I can access a VM I created in my VNET, so far so good. I then setup a container app and a container app environment. The container app it's self it's just the azure demo one. The container app environment is set to internal so as to not expose it to the internet. However even when connected via the VPN to the P2S gateway I still can't resolve it. I understand there would be more setup to get DNS resolution working however even trying to browse to the internal IP of the container app doesn't work so I'm assuming there's something wrong. When the VPN is not connected the connection just times out but when it is, it's gives me a 403 so I assume it's got something to do with the container app environment load balancer not forwarding the requests to the container (which does have ingress enabled). I also get a 403 is I use curl to try and access the container app environment IP from inside a VM in the same VET.

Any suggestions or clarity in what's required to be able to access an internal azure container app via a P2S VPN connection would be great.

Improve this question

1 Answer 1

Reset to default
1

at a high level an internal container apps env uses an Azure Internal Load Balancer (ILB) with an IP taken from the related subnet and an Envoy Ingress controller as described here https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#custom-vnet-configuration

Assuming your app is http (you said you were using 443) then the first step would be to try and access the default app from your VM , which I presume is in an adjacent subnet. I am assuming you dont have an NSG which would be blocking traffic. To do this you'll need to provide a local host record on the VM mapping the Az Container App ILB (internal IP) to the default host name that the container app is listening on , for more info on that see here : https://learn.microsoft.com/en-us/azure/container-apps/ingress-overview#domain-names

Once you can get access from the VM it should be straight forward to connect via the P2S connection - as per your question you can already reach your VM that way (presumably on the VMs internal interface) which proves the VPN is working. You will then also need a local host entry on your local VM matching the expected host for the container App

In a production environment you would need to provide something more robust for DNS - either using a combination of Az Public and private zones, or your own custom DNS servers as per https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm#name-resolution

Last note: Do create the container apps environment as workload profile type as it supports both types of container apps, whereas the original "consumption" is that type only. As per https://learn.microsoft.com/en-us/azure/container-apps/environment#types

Hope this helps

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.