I am trying to make Azure Container Apps (ACA) internal and allow them to communicate with an Azure Function App that is using Gateway-based VNET Integration.
Approach I Used:
- Followed the Microsoft documentation:
- Custom VNET for Container Apps
- Private Endpoint for Container Apps
- Configuring Azure Private DNS for App Gateway
- I was able to get this working when the Function App was NOT using Gateway-based VNET Integration.
- However, when I try the same setup with Gateway-based VNET Integration enabled, the communication does not work.
Questions:
- How can I configure Azure Container Apps to communicate with a Function App that has Gateway-based VNET Integration?
- Do I need additional networking settings (private endpoints, route tables, NAT gateway, etc.)?
- Is there a fundamental limitation with Gateway-based VNET Integration that prevents this from working?
- Could Azure Private DNS Zone configuration (as mentioned in the WAF/App Gateway guide) be relevant here?
- Are there any alternative solutions to achieve secure internal communication between Container Apps and the Function App?
Any guidance or insights would be greatly appreciated!
I am trying to make Azure Container Apps (ACA) internal and allow them to communicate with an Azure Function App that is using Gateway-based VNET Integration.
Approach I Used:
- Followed the Microsoft documentation:
- Custom VNET for Container Apps
- Private Endpoint for Container Apps
- Configuring Azure Private DNS for App Gateway
- I was able to get this working when the Function App was NOT using Gateway-based VNET Integration.
- However, when I try the same setup with Gateway-based VNET Integration enabled, the communication does not work.
Questions:
- How can I configure Azure Container Apps to communicate with a Function App that has Gateway-based VNET Integration?
- Do I need additional networking settings (private endpoints, route tables, NAT gateway, etc.)?
- Is there a fundamental limitation with Gateway-based VNET Integration that prevents this from working?
- Could Azure Private DNS Zone configuration (as mentioned in the WAF/App Gateway guide) be relevant here?
- Are there any alternative solutions to achieve secure internal communication between Container Apps and the Function App?
Any guidance or insights would be greatly appreciated!
Share Improve this question asked Feb 2 at 18:10 Hiten SamaliaHiten Samalia 591 silver badge8 bronze badges 14- so your function app is behind app gateway? is it a private app gateway or does it have a public ip ? – Thomas Commented Feb 2 at 23:24
- so your function app is behind app gateway? is it a private app gateway or does it have a public ip ? – Thomas Commented Feb 2 at 23:24
- Hey Thomas, our function app is inside VNET through Gateway based integration. It can access resources in VNET's subnet with their IP(s). – Hiten Samalia Commented Feb 3 at 0:15
- is the container app in the same vnet or in a peered vnet ? – Thomas Commented Feb 3 at 3:17
- Yes, the container app is in the same VNET. – Hiten Samalia Commented Feb 3 at 5:25
1 Answer
Reset to default 1Azure Container Apps Internal communicates with Function App
Instead of communicating to the function app behind a gateway this approach you mentioned is tricky as this works only when the Function App is not using Gateway-based VNET Integration.
As Thomas mentioned there might be multiple reasons for the cause of blocking like NSG preventing the connection between the subnets.
Instead of this NatGateway approach since the communication is from the container app to the function app you can try using Private Endpoint for Function App + Private DNS.
Create both the Container apps and function apps with in same VNet but in different subnets.
Enable a Private Endpoint for the Function App using DNS zone using the same VNet and in other subnets.
Test and validate the communication from the Container App to Function App
Test HTTP Communication:
curl -v https://<your-function-app-name>.azurewebsites
Refer:
https://learn.microsoft/en-us/azure/azure-functions/functions-create-vnet
https://learn.microsoft/en-us/azure/container-apps/how-to-use-private-endpoint