Problems with wetworking in Azure Container Apps environment workload profile
I'm having trouble migrating an Azure Container App environment from "consumption only" to "workload profile".
My setup is a Hub-Spoke scenario where the spoke contains the container app environment which is connected to a VNET/Subnet in the 10.70.10.0/23 range. All containers in the "consumption only" scenario also got an IP in this range. There is a route table connected to the subnet which routes all traffic to the firewall in the peered hub VNET. This all worked fine. See image below.
After migrating to the "workload profile" all containers get an 100.100.x.x IP. There seems to be no traffic routed to though the route table anymore. I cannot reach any of the on prem services anymore an there seems to traffic coming in on the firewall as well.
This was a good troubleshooting you did , I am converting our conversation as answer for someone having similar issue in SO. Please feel free to add your points.
The root cause is that custom traffic selectors in the VPN connections weren’t forwarding the new 100.100.0.0/16 range for the container apps.
To resolve this
# Create VNet Hub
az network vnet create \
--name VNetHub \
--resource-group arkorg \
--address-prefixes 10.70.0.0/23 \
--subnet-name GatewaySubnet \
--subnet-prefixes 10.70.0.0/24
# Create VNet Spoke
az network vnet create \
--name VNetSpoke \
--resource-group arkorg \
--address-prefixes 10.70.10.0/23 \
--subnet-name SpokeSubnet \
--subnet-prefixes 10.70.10.0/24
# Create Static Public IP for the VPN Gateway
az network public-ip create \
--resource-group arkorg \
--name myVpnGatewayIP \
--allocation-method Static \
--sku Standard
# Create the VPN Gateway
az network vnet-gateway create \
--resource-group arkorg \
--name VNetGateway \
--public-ip-address myVpnGatewayIP \
--vnet VNetHub \
--gateway-type Vpn \
--vpn-type RouteBased \
--sku VpnGw1 \
--no-wait
# Peer VNetHub to VNetSpoke
az network vnet peering create \
--name HubToSpoke \
--resource-group arkorg \
--vnet-name VNetHub \
--remote-vnet VNetSpoke \
--allow-vnet-access
# Peer VNetSpoke to VNetHub
az network vnet peering create \
--name SpokeToHub \
--resource-group arkorg \
--vnet-name VNetSpoke \
--remote-vnet VNetHub \
--allow-vnet-access
# Create Route Table
az network route-table create \
--name SpokeRouteTable \
--resource-group arkorg \
--location eastus
# Add Route to VPN Gateway
az network route-table route create \
--resource-group arkorg \
--route-table-name SpokeRouteTable \
--name RouteToVPN \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 10.70.1.4 # Replace with your actual VPN gateway private IP
# Associate Route Table with Spoke Subnet
az network vnet subnet update \
--vnet-name VNetSpoke \
--name SpokeSubnet \
--resource-group arkorg \
--route-table SpokeRouteTable
Delegate the Subnet to Microsoft.App/Environments (this will allow Azure Container Apps to manage the subnet)
az network vnet subnet update \
--name SpokeSubnet \
--resource-group arkorg \
--vnet-name VNetSpoke \
--delegations Microsoft.App/environments
Create the Container Apps Environment
az containerapp env create \
--name arkoContainerEnv \
--resource-group arkorg \
--location eastus \
--infrastructure-subnet "/subscriptions/abcd-efgh-ijk-lmnop-9d23123dfc7d/resourceGroups/arkorg/providers/Microsoft.Network/virtualNetworks/VNetSpoke/subnets/SpokeSubnet"
Deploy a Container App, note- the VPN connection could be deleted and recreated with the correct traffic selectors.
az containerapp create \
--name arkocontainerapp \
--resource-group arkorg \
--environment arkoContainerEnv \
--image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
--cpu 0.5 \
--memory 1.0Gi \
--target-port 80 \
--ingress 'external' \
--query properties.configuration.ingress.fqdn
This should fix the issue where traffic wasn’t routed from the new 100.100.x.x IP range to your VPN. This configuration ensures that both ICMP and HTTP(S) traffic are correctly routed and forwarded via your VPN connection.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs