Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Networking architecture in Azure Container Apps
In this articleAzure Container Apps run in the context of an environment, which is supported by a virtual network (VNET). When you create an environment, you can provide a custom VNET, otherwise a VNET is automatically generated for you. Generated VNETs are inaccessible to you as they're created in Microsoft's tenant. To take full control over your VNET, provide an existing VNET to Container Apps as you create your environment. The following articles feature step-by-step instructions for creating Container Apps environments with different accessibility levels.
Custom VNET configurationAs you create a custom VNET, keep in mind the following situations:
As you begin to design the network around your container app, refer to Plan virtual networks for important concerns surrounding running virtual networks on Azure.
Note Moving VNETs among different resource groups or subscriptions is not supported if the VNET is in use by a Container Apps environment. HTTP edge proxy behaviorAzure Container Apps uses Envoy proxy as an edge HTTP proxy. TLS is terminated on the edge and requests are routed based on their traffic split rules and routes traffic to the correct application. HTTP applications scale based on the number of HTTP requests and connections. Envoy routes internal traffic inside clusters. Downstream connections support HTTP1.1 and HTTP2 and Envoy automatically detects and upgrades
the connection should the client connection be upgraded. Upstream connection is defined by setting the Ingress configurationUnder the ingress section, you can configure the following settings:
ScenariosThe following scenarios describe configuration settings for common use cases. Rapid iterationIn situations where you're frequently iterating development of your container app, you can set traffic rules to always shift all traffic to the latest deployed revision. The following example routes all traffic to the latest deployed revision:
Once you're satisfied with the latest revision, you can lock traffic to that revision by updating the
Update existing revisionConsider a situation where you have a known good revision that's serving 100% of your traffic, but you want to issue an update to your app. You can deploy and test new revisions using their direct endpoints without affecting the main revision serving the app. Once you're satisfied with the updated revision, you can shift a portion of traffic to the new revision for testing and verification. The following configuration demonstrates how to move 20% of traffic over to the updated revision:
Staging microservicesWhen building microservices, you may want to maintain production and staging endpoints for the same app. Use labels to ensure that traffic doesn't switch between different revisions. The following example demonstrates how to apply labels to different revisions.
Portal dependenciesFor every app in Azure Container Apps, there are two URLs. The first URL is generated by Container Apps and is used to access your app. See the Application Url in the Overview window of your container app in the Azure portal for the fully qualified domain name (FQDN) of your container app. The second URL
grants access to the log streaming service and the console. If necessary, you may need to add Ports and IP addressesNote The subnet associated with a Container App Environment requires a CIDR prefix of /23 or larger (/23, /22 etc.). The following ports are exposed for inbound connections.
Container Apps reserves 60 IPs in your VNET, and the amount may grow as your container environment scales. IP addresses are broken down into the following types:
RestrictionsSubnet address ranges can't overlap with the following reserved ranges:
SubnetAs a Container Apps environment is created, you provide resource IDs for a single subnet. If you're using the CLI, the parameter to define the subnet resource ID is If you're using the Azure CLI and the platformReservedCidr range is defined, both subnets must not overlap with the IP range defined in RoutesThere's no forced tunneling in Container Apps routes. DNS
Managed resourcesWhen you deploy an internal or an external environment into your own network, a
new resource group prefixed with
Next steps
FeedbackSubmit and view feedback for In which of the following situations should you install IPS instead of IDS?In which of the following situations should you install an IPS instead of an IDS? You want to improve access times to frequently accessed websites.
Which of the following is employed in scenarios where the network parameters and environment are expected to remain constant?Static routing is not a routing protocol; instead, it is the manual configuration and selection of a network route, usually managed by the network administrator. It is employed in scenarios where the network parameters and environment are expected to remain constant.
Which of the following are private IP addresses select two?Private Address Ranges. Class A: 10.0. 0.0 to 10.255. 255.255.. Class B: 172.16. 0.0 to 172.31. 255.255.. Class C: 192.168. 0.0 to 192.168. 255.255.. Which of the following is a scenario in which an IT support technician would most likely?Which of the following is a scenario in which an IT support technician would most likely be required to implement the alternate IP configuration method on a network host? In the event a DHCP server is unavailable, the workstation will have a valid IP address on the subnet.
|