How to connect to a containerapp on azure from s2s vpn

Question

I need help connecting to a container app on azure from a site to site VPN.

What I have done:

1. Create a Site to Site VPN which connects from our office site to the Azure cloud. I have proved this works by creating a Virtual machine in Azure and connecting to it from the VPN.
2. Created a ContainerApp Environment with defined non-internal virtual network with a subnet.
3. Created a Container with the Microsoft quickstart image in that environment.
4. Controlled access to that container using an Network Security Group, connecting over the Internet - not via VPN.

What I can't do is access the container from the VPN.

I can't see a way of connecting the subnet used for the container to be a subnet accessible from the VPN.

What am I missing ?

Can anyone give me a pointer in the right direction ?

Thanks

Peter

Method for step 1

https://chadschultz.azurewebsites.net/2020/05/21/azure-vpn-gateway-and-mikrotik-ipsec-ike-configuration/#:~:text=In%20the%20Azure%20portal%20search%20for%20%E2%80%9CLocal%20network%20gateway%E2%80%9D.&text=Enter%20a%20name%20for%20the,subscription%2C%20Resource%20group%20and%20Location.&text=After%20the%20settings%20are%20done%2C%20click%20create

https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

code for steps 2,3 :

Create vnet called vnet-rcrgplayground-1

with a subnet of 10.0.4.0/23 called container-app-subnet-1

az network vnet create --resource-group rc-rg-playground --name vnet-rcrgplayground-1 --address-prefix 10.0.0.0/16 \

--subnet-name "container-app-subnet-1" --subnet-prefixes "10.0.4.0/23" --location "eastus"

create container app environment using that vnet

$SUBNET = az network vnet subnet list -g rc-rg-playground --vnet-name vnet-rcrgplayground-1 \

--query "[? name=='container-app-subnet-1'].id" --output tsv

az containerapp env create --name rc-container-app-env-1 --resource-group rc-rg-playground \

--infrastructure-subnet-resource-id $SUBNET --location eastus

create container app with microsoft quickstart image in that environment with external ingress

az containerapp up --name rcl-hello-app-subnet-1 --resource-group rc-rg-playground --location eastus --environment rc-container-app-env-1 --image mcr.microsoft.com/k8se/quickstart:latest --target-port 80 --ingress external --query properties.configuration.ingress.fqdn

Answer 1

@Peter Young

Thank you for reaching out.

I understand you wish to access your container app from your on-prem devices which are connected to Azure using S2S VPN.

You can follow the steps mentioned below and see if you are able to establish the connectvity.

• Deploy the Container App in a Custom VNET with internal Azure Container Apps environment as shown here. You need to create the container app in an internal environment because you have to restrict inbound requests to the environment exclusively to the VNet as the VPN connectivity happens over a private network.
• After the above step is done, Peer the Custom VNET above with the VNET where your S2S VPN (S2S VNET) is deployed. You can follow the documentation here to Peer these VNETS. Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Please do not forget to enable the Gateway transit peering property that will let the Custom VNET use the VPN gateway in the peered S2S VNET for cross-premises connectivity.
• The Next step will be to create Private DNS Zone for DNS resolution as described here to use Non-custom domains. Create a private DNS Zone named as the Container App environment’s default domain (<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io), with an A record. The A record contains the name *<DNS Suffix> and the static IP address of the Container Apps environment. You can follow the Steps mentioned here to create a Private DNS zone as shown below (Just follow the private DNS zone step)

Example of the private DNS zone

Example of the A record.

The static IP of the container App can be obtained from custom domain page of the app from the portal as shown below:

• The next step will be to link the Custom VNET and S2S VNET to the private DNS zone above. Please follow the step shown here to link each VNET.
• After this step you should be able to access the container app URL from the VM deployed in your S2S VNET

To test you can do a nslookup test as shown below from the VM deployed in S2S VNET. This will help validate that the steps above were correctly followed until now.

• Now that container app is accessible from VNET where S2S VPN is deployed(S2S Vnet). The next will be to deploy an Azure Private DNS resolver so that the container app URL is resolved from the On-prem Devices. You can follow this tutorial to deploy Azure Private DNS resolver

As you have already configured S2S VPN Gateway and the connection is successful, I do not think you need to modify any configuration there. Just make sure that all the required routes are advertised.

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

thanks for the answer. It may take me a month or two to check it out. I'll get back to you with the results

Answer 3

Also can you confirm that an Internal loadbalancer is not required ? Another contributer suggested that.. Thanks Peter