Local Error: DNSResolution in application gateway when backend is an internal container app

Question

I want to use Azure Application Gateway to protect an internal container app in same vnet, but the situation is quite confusing. Here are the specific configurations:

1. Azure internal container app in vnet test-vnet, ingress restricted to vnet, listening on port 8080.
2. Private DNS zone, name is the basic domain of the app env, added an A record mapping to the static IP of the app env, and added a private link for test-vnet.
3. Application Gateway in vnet test-vnet, using the container app FQDN as the backend pool, backend health is healthy.

Issues encountered:

1. Cannot access the backend app through the Application Gateway's public IP.
2. The Application Gateway's connection troubleshoot shows Local Error: DNSResolution (note that a VM in the same vnet can successfully access the container app's URL).
3. Confusingly, the Application Gateway's connection troubleshoot often shows different errors.

please see detail configuration by the following screenshoots :

container app ingress:

app gateway backend setting(Note that the test results are the same regardless of whether the host name is overridden or not):

app gateway listener:

app gateway backend health:

app gateway connection troubeshoot:

Other issue:

This problem can be set aside from the Local Error: DNSResolution issue. I just want to confirm if my understanding from the official documentation is correct. Since the backend is a container app, directly overriding with the backend host name will cause the host name in the cookie to record the container app's URL. However, the container app is internal, which will result in Incorrect redirect URLs as described in Host name preservation - Azure Architecture Center | Microsoft Learn. My understanding is that I need to register a domain name, use OpenSSL to create a self-signed certificate, add a custom domain to the container app, and then add a TXT record to my domain, right?

Looking forward to your reply!!!

Answer 1

@Will Ang ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are trying to configure Application Gateway as Reverse proxy for a Azure Container Apps which is configured as "Internal".

Issue #1 :

• Application Gateway uses the virtual network's DNS configuration for name resolution.
• See : FAQ
  • More info on Backend server DNS resolution
• Can you specify if you are using a custom DNS Server on your VNET or Azure Provided DNS?
  • Can you confirm if Private DNS Zone has been linked to this VNET?
  • Refer : DNS for Azure Container Apps
  • Both Non-custom domains and Custom domains scenarios are explained here
• If you feel that the DNS Configuration of the VNET is correct ,
  • Please share the nslookup result of the Container Apps FQDN from a VM in the same VNET as a screenshot.
  • Make sure this VM's NIC is configured to use "Inherit from Virtual Network" in it's DNS settings.

Issue #2 :

• I see you are referencing Host name preservation - Azure Architecture Center | Microsoft Learn.
• As the ACA is internal, note that it is not a mandatory requirement to "register" a custom domain
• See : DNS for Azure Container Apps
  • 

However, for a production set up, you can register your domain and get a certificate issued to that domain as well

• For Production workloads, we do not recommend the use of Self-signed certificates.
• While technically, you can just create a Private DNS Zone without purchasing a domain and create a self-signed certificate for this domain, because of the previous point this is not recommended.
• Also, purchasing the domain is necessary when you are going to introduce reverse proxy such as App Gateway
• From your screenshots, I see you got the domain validated.

P.S :

• I see you mentioned test results are the same regardless of whether the host name is overridden or not
• However, for correct configuration, it should be overridden as "test.simpleregimen.com"

Cheers,

Kapil