Container app traffic restriction

Diana C 0

In trying to strengthen the security on a resource group (containing app services, container apps and other resources) I tried to further secure the container apps with a network security group. However, it seems like this is no longer possible as the container apps are already up and running, and we would have needed to create a vnet when creating them, which was not the case. Alright. So I tried to go the route of restricting which IPs are allowed to access each container app. The only place I found this configuration was on the Ingress tab, where I selected "Allow traffic from IPs configured below, deny all other traffic". While this worked fine on the ingress endpoint (my-app-container--a1b2c3.[...].azurecontainerapps.io), it did not work on the custom domain defined for the container app (app-container-readable-name.com), where I get RBAC: access denied error. Plus there is the risk that the next deploy will change the suffix on the endpoint with the next replica name.

Do I need to whitelist certain IPs from Microsoft in order for the custom domain translation to happen? Or is there another setting I must change? Or another place where to restrict the incoming traffic?

Khadeer Ali 3,750 Reputation points Microsoft External Staff

2025-03-07T11:30:13.39+00:00
@Diana C ,

Thanks for reaching out. To better understand and troubleshoot the RBAC: access denied issue on your custom domain (app-container-readable-name.com), could you please clarify the following:

If authentication is enabled on the container app, are you seeing the RBAC error before the authentication challenge or after successfully authenticating?

Are you trying to completely restrict access to specific IPs, or do you want to allow public access while enforcing authentication and RBAC controls?

Have you tested accessing the application via the custom domain from an allowed IP? If so, do you still encounter the RBAC error?
Diana C 0 Reputation points

2025-03-07T11:38:28.8433333+00:00
Hi Khadeer,

Thanks for the reply.

There is no authentication enabled on the container app, which is why the RBAC message thew us off. The custom domain is always accessible from the outside.

We are trying to allow access only from specific resources, namely other app services in the same resource group, so for instance only a website (app service) should be able to access the api container app. Therefore we first tried accomplishing this with a NSG and eventually settled on restricting by IP.

Yes, when the IP rules were in place, we tried accessing the application by custom domain (did not work - RBAC error) as well as full name with ingress specification (worked - accessible as it was before we added IP rules)from a whitelisted IP
Khadeer Ali 3,750 Reputation points Microsoft External Staff

2025-03-07T12:54:29.2033333+00:00
@Diana C ,

Microsoft dynamically updates the list of outbound IP addresses used by Azure services . Whitelisting these regional service IPs in the IP restriction settings could resolve the issue. However, there are a few considerations:

Microsoft updates these IP ranges weekly,the allowlist will need to be updated frequently.

The latest IP ranges can be obtained from Microsoft’s official source: Azure Datacenter IP Ranges Meanwhile I am checking with internal team on any other alternate apporaches

Share via

Container app traffic restriction

Your answer