azure-application-gatewayazure-container-apps

Exposing Container Apps in Private VNET via Application Gateway with Subdomain Mapping


I’m in a bit of a pickle and could really use some help with the following:

I have a Container Apps Environment integrated into a private VNET with a dedicated subnet and ILB enabled. I’ve deployed a few container apps (let’s call them app1, app2, and app3) into this ACA Environment. I’ve already set up a Private DNS Zone for the ACA Env domain (let’s call it env.containerapps.io), created an A record pointing @ to the static IP of the environment, and linked it to my VNET.

At this point, I can access my apps within the VNET using app1.env.containerapps.io, app2.env.containerapps.io, and app3.env.containerapps.io.

Now, I want to expose these apps to the internet using an Application Gateway. End-to-end encryption and custom domains for my ACA Env aren’t important right now.

I’ve purchased a domain (mydomain.com) from another provider and created a wildcard self-signed certificate for *.mydomain.com. I also created a static public IP address and configured the frontend on my Application Gateway to use this certificate.

At this stage, I believe creating a separate backend pool and HTTP listener for each app could work. Something like this: app1.mydomain.com HTTP listener (Basic type) -> Backend address pool for app1.env.containerapps.io with "Pick host name from backend address" set to True. (And similar configurations for app2 and app3.)

However, I’m wondering if there’s a way to override the hostname while preserving the subdomain—something like: whatever.mydomain.com -> whatever.env.containerapps.io

I’ve been experimenting with multi-site listeners (single or wildcard) and backend pools without subdomain-specific configurations, but nothing seems to work.

Has anyone set up something similar or have any tips on how to make this work? I’d appreciate any help!


Solution

  • Your approach of creating separate backend pools and HTTP listeners for each app aligns better with their requirements, particularly given their explicit mention of using multiple backend pools and ensuring hostname preservation.. Found a similar article from MS QnA which provides better clarity.

    As discussed, to expose your container apps (app1, app2, app3) via an Application Gateway with subdomain mapping while preserving the original hostnames. Would recommend configuring your AppGW to add the endpoints app1.env.containerapps.io, app2.env.containerapps.io, and app3.env.containerapps.io to their respective backend pools (BackendPool-App1, BackendPool-App2, BackendPool-App3). Create listeners for each subdomain (app1.mydomain.com, app2.mydomain.com, and app3.mydomain.com) and use the wildcard certificate for *.mydomain.com to handle TLS for all subdomains.

    Set "Override with new host name" to "No"

    enter image description here

    why?

    because this will ensure the original hostname (app1.mydomain.com) is preserved and sent to the backend app (app1.env.containerapps.io).

    Finally update your dns provider pointing to the public IP of your AppGW

    Basically, with the wildcard listener to route traffic based on subdomains it should look like this-

    app1.mydomain.com -> app1.env.containerapps.io

    same for app2 and 3

    As per MS doc-Application Gateway multi-site hosting, Application Gateway handles subdomain-based routing automatically without needing separate listeners for each app.

    enter image description here

    You've already experimented with adding multiple targets to a single backend pool and configured the listener as a wildcard. This approach should allow you to achieve the desired routing behavior. Please feel free to add any further points you feel necessary to update the answer for folks looking for similar fix on Stack overflow community.

    Reference docs from MS