1# Container Apps Networking
2 
3VNet integration, ingress configuration, custom domains, and TLS for Container Apps.
4 
5## Ingress Modes
6 
7| Mode | Visibility | Use Case |
8|------|-----------|----------|
9| External | Internet-accessible | Public APIs, web apps |
10| Internal | Not internet-accessible; reachable within the environment and VNet (if VNet-injected) | Microservices, back-end APIs |
11| Disabled | No HTTP ingress | Background workers, queue processors |
12 
13### Bicep — External Ingress
14 
15```bicep
16configuration: {
17  ingress: {
18    external: true
19    targetPort: 8080
20    transport: 'auto'
21    allowInsecure: false
22  }
23}
24```
25 
26### Bicep — Internal Ingress
27 
28```bicep
29configuration: {
30  ingress: {
31    external: false
32    targetPort: 8080
33  }
34}
35```
36 
37> 💡 **Tip:** Internal apps get a `*.internal.<env-default-domain>` FQDN. This is accessible from within the Container Apps environment and, when the environment is VNet-injected, also from the VNet.
38 
39## VNet Integration
40 
41Container Apps run inside an environment that can be injected into a VNet subnet.
42 
43### Subnet Requirements
44 
45| Requirement | Workload Profiles (default) | Consumption-only (legacy) |
46|------------|---------------------------|--------------------------|
47| Minimum subnet size | `/27` (32 addresses) | `/23` (512 addresses) |
48| Delegation | `Microsoft.App/environments` | `Microsoft.App/environments` |
49| Dedicated | Subnet must be exclusive to the Container Apps environment | Same |
50 
51### Bicep — VNet-Integrated Environment
52 
53```bicep
54resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' = {
55  parent: vnet
56  name: 'container-apps-subnet'
57  properties: {
58    addressPrefix: '10.0.16.0/27'
59    delegations: [
60      {
61        name: 'Microsoft.App.environments'
62        properties: { serviceName: 'Microsoft.App/environments' }
63      }
64    ]
65  }
66}
67 
68resource env 'Microsoft.App/managedEnvironments@2024-03-01' = {
69  name: envName
70  location: location
71  properties: {
72    vnetConfiguration: {
73      infrastructureSubnetId: subnet.id
74      internal: false // true for internal-only environment
75    }
76  }
77}
78```
79 
80> ⚠️ **Warning:** VNet configuration is set at environment creation and cannot be changed afterward. Plan your network topology before creating the environment.
81 
82## Custom Domains
83 
84### Steps
85 
861. Add a CNAME or A record pointing to the Container App's FQDN or static IP
872. Bind the custom domain to the Container App
883. Configure a managed or custom TLS certificate
89 
90```bash
91# Register custom domain (hostname only — no cert provisioned yet)
92az containerapp hostname add -n $APP -g $RG --hostname app.contoso.com
93 
94# Bind managed certificate (provisions and attaches TLS cert)
95az containerapp hostname bind -n $APP -g $RG \
96  --hostname app.contoso.com \
97  --environment $ENV_NAME \
98  --validation-method CNAME
99```
100 
101### DNS Configuration
102 
103| Record Type | Name | Value |
104|------------|------|-------|
105| CNAME | `app.contoso.com` | `<app-name>.<region>.azurecontainerapps.io` |
106| TXT (verification) | `asuid.app.contoso.com` | `<verification-id>` |
107| A (apex domain) | `contoso.com` | Environment static IP |
108 
109> 💡 **Tip:** Use `az containerapp show -n $APP -g $RG --query properties.configuration.ingress.fqdn` to get the target FQDN for DNS records.
110 
111## TLS Configuration
112 
113### Managed Certificates
114 
115Azure automatically provisions and renews TLS certificates for custom domains — no manual cert management required.
116 
117> ⚠️ **Prerequisites:** Managed certificates require the app to be externally reachable with valid **public** DNS (CNAME or HTTP validation). They do **not** work for internal environments or apps behind private DNS. For private/internal scenarios, bring your own certificate via `az containerapp ssl upload`.
118 
119## IP Restrictions
120 
121> ⚠️ **Warning:** IP restriction rules are evaluated in **array order** (first match wins). The `priority` field does not exist in the Container Apps API — order your rules carefully in the array.
122 
123Allow-only rules implicitly deny all traffic not matching any rule. Deny-only rules implicitly allow all other traffic.
124 
125```bicep
126configuration: {
127  ingress: {
128    external: true
129    targetPort: 8080
130    ipSecurityRestrictions: [
131      {
132        name: 'allow-office'
133        action: 'Allow'
134        ipAddressRange: '203.0.113.0/24'
135        description: 'Office network'
136      }
137      {
138        name: 'allow-vpn'
139        action: 'Allow'
140        ipAddressRange: '198.51.100.0/24'
141        description: 'VPN gateway'
142      }
143    ]
144  }
145}
146```
147 
148## Network Topology Summary
149 
150| Topology | Environment `internal` | Ingress `external` | Access |
151|----------|----------------------|-------------------|--------|
152| Public app | `false` | `true` | Internet + VNet |
153| Internal microservice | `false` | `false` | Same environment; VNet if environment is VNet-injected |
154| Fully private (VNet-wide) | `true` | `true` | VNet only (no public IP); accessible from anywhere in the VNet |
155| Fully private (env-only) | `true` | `false` | VNet only (no public IP); accessible only within the Container Apps environment |
156 
157> ⚠️ **Warning:** An internal environment has no public IP. You need VPN, ExpressRoute, or a jump box to reach apps in an internal environment.
158