Unable to access Container App that is inside a VNet integrated Container Environment

[kamalsivalingam]

Please provide us with the following information:

This issue is a: (mark with an x)

• [ ] bug report -> please search issues before submitting
• [ ] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Issue description

Hi, I am unable to access using http a container that is inside a VNet integrated container environment. When i add vnet integration, looks like a load balancer is auto created and the envoy proxy is registering TCP ports 80 and 443. Does this mean all the requests go through envoy proxy? In that case what do i need to add to the URL to access one of the container apps inside the container environment using http?

Steps to reproduce

1. ..
2. ..

Expected behavior [What you expected to happen.]

Actual behavior [What actually happened.]

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

Ex. Did this issue occur in the CLI or the Portal?

[simonjj]

In your situation, when you enable VNet integration for Azure Container Apps, traffic flows through the Azure-managed Envoy proxy, which handles routing to your container apps. Here’s a detailed explanation of how ingress works with a VNet and what you need to consider:

1. Ingress Through Envoy Proxy:

When you enable ingress (whether internal or external), Azure Container Apps uses Envoy as a proxy to route the traffic:

• External Ingress: Your container is publicly exposed, and traffic flows through Envoy.

• Internal Ingress (VNet): The container is only accessible within your VNet.

  By default, Envoy is responsible for managing all incoming HTTP (80) and HTTPS (443) traffic. It terminates the HTTP request at the proxy level and routes it to the appropriate container app.

2. Accessing Your App via HTTP:

If you’ve enabled internal ingress (private endpoint within a VNet), the container app is only accessible from within your VNet. To access it:

• Ensure your DNS resolution inside the VNet can resolve the domain of your container app.
• The URL format should still be in the form of http://<app_name>.<environment_name>.azurecontainerapps.io, but this will only work from within the VNet.
• Ensure that the required network security rules are in place to allow traffic on ports 80 and 443 within the VNet.

3. Important Network Configurations:

• Private DNS: If the app is exposed internally, ensure that the VNet includes proper DNS resolution to resolve the container app’s internal hostname. You may need to configure a private DNS zone or use Azure DNS to resolve the internal URLs.
• Subnet Rules: The VNet must have adequate subnet rules allowing traffic from your internal resources to the container environment.
• Firewall and NSG: Make sure your Network Security Group (NSG) or firewall isn’t blocking the traffic to your container app.

4. Accessing Your App (Internal Ingress):

• If you are using internal ingress, you’ll need to ensure that the requests are sent from within the same VNet or a peered VNet.
• You would use the URL associated with your Container App’s environment. If DNS resolution is correctly set up, you could access the app using:
  • http://<container_app_name>.<environment_name>.azurecontainerapps.io (or custom domain if configured).

5. Debugging Access Issues:

• DNS Resolution: Ensure that the domain of your container app resolves correctly inside the VNet. You can use tools like nslookup or dig from within your VNet to check this.
• Network Security: Check the Network Security Groups (NSG) associated with the subnets in your VNet. Ensure rules are allowing the appropriate inbound and outbound traffic on ports 80 and 443.
• App Logs: Check the logs for your container apps and the Envoy proxy to ensure traffic is reaching the app.

Summary:

Yes, all your HTTP/HTTPS requests go through the Envoy proxy when using ingress in Azure Container Apps. If you are trying to access the app using a URL, you need to ensure that the DNS and network settings inside your VNet are properly configured to allow internal resolution. You'll use the same standard URL for your app (http://<app_name>.<environment_name>.azurecontainerapps.io), but it will only work from inside the VNet or a peered network.

If you want external access, you will need to enable external ingress and configure the necessary security settings for public exposure.