3

I plan to use Azure Front Door in front of my Container App and allow access only through Front Door. I have deployed an Internal Container Apps environment with a custom virtual network. I have added an NSG to the infra-subnet with an Inbound Rule that allows Azure FrontDoor.Backend. But this doesn't seem to work.

Any suggestions on how to use Azure Front Door with Azure Container Apps?

Vinayak S B
  • 41
  • 7

2 Answers2

2

Azure Front Door is CDN service that delivers high performance, scalability applications. It has customizable rules engine for advanced routing capabilities, we can add Azure Container App URL / load balancers IP's [[if it integrates with NSG allow respective ports in inbound]. Below sample example helps to deploy container app into Front Door.

  1. Create and browse the container app URL, whether it was up and running or not without front door, either the way via Container App URL / Load Balancer. enter image description here

  2. Configure Front Door on container App enter image description here NOTE: Origin type will be custom if we use Container App URL.

  3. Click on Origin group and then verify whether its points to correct Endpoint or not ? enter image description here enter image description here

  4. Copy the Front Door URL from Front Door Service enter image description here

Output enter image description here

Swarna Anipindi
  • 792
  • 2
  • 9
  • 2
    Thank you for the input. What I am looking for is how do I make sure my Azure Container App is not accessible without the Front Door. Without the above set up, I can still access my Azure Container App publicly. – Vinayak S B Nov 14 '22 at 22:20
1

To deploy AFD (Azure Front Door) with a private ACA (Azure Container Apps) environment you need to create a private link connection between Front Door and the internal Azure Load Balancer, that has been created by ACA.

For that reason you have to create a Private Link Service for the Load balancer. The challenge is now to 'find' the Load Balancer the Private Link Service should be created for and add the ID of the Load Balancer to the Private Link Service resource, if done programmatically.

In my example I have used the default domain of the environment to create the name of the 'auto-generated' resource group, because you need to provide the name and the resource group of the Load Balancer to get the required ID.

Bicep example code:

// Create Container Apps Environment
resource environment 'Microsoft.App/managedEnvironments@2022-03-01' = {
  name: environmentName
  location: location
  
  ...
  
}

// Get the Default Domain of the ACA environment
var containerAppsEnvironmentDefaultDomain string = environment.properties.defaultDomain

// Split the domain to get the identifier of the ACA environment (the element before the location)
var containerAppsNameIdentifier = split(containerAppsDefaultDomainName, '.')[lastIndexOf(containerAppsDefaultDomainArray, location)-1]

// Use the identifier to 'generate' the resource group name
var containerAppsManagedResourceGroup = 'MC_${containerAppsNameIdentifier}-rg_${containerAppsNameIdentifier}_${location}'

// Get the ID of the Load Balancer
resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' existing = {
  name: 'kubernetes-internal'
  scope: resourceGroup(containerAppsManagedResourceGroup)
}

The full example including all Bicep code can be found at Github: https://github.com/sebafo/frontdoor-container-apps

sebafo
  • 31
  • 4