mTLS for communication between container apps

Question

Hi,

1. My understanding is that by default communication from a) ingress proxy to container apps b) container apps to container apps, don't use TLS, so requests have to be HTTP not HTTPs. Please confirm.
2. Azure container apps provide peer to peer encryption for communication between container apps (container A to container B directly using application name). Is this same as mTLS - are container apps provided one certificate each and authenticate with each other using mTLS. I want to understand that if peer-to-peer encryption is enabled, should authentication be implemented for service to service communication or is it internally done.

https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli

Answer 1

@RajivBansal-2486 Thanks for posting your question in Microsoft Q&A.

You can refer to this section about peer-to-peer communication with encryption using private certificate within the container app environment.

• All the traffic from ingress proxy to container app within container environment isTLS encrypted with a private certificate and decrypted by the receiver.
• Applications within a Container Apps environment are automatically authenticated. However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in peer-to-peer encryption.
• When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported. To learn more, see configure client certificates.

Hope this helps, let me know if you still have any further questions on this.