Customize Azure Spring Apps egress with a user-defined route

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.

This article applies to: ✅ Java ✅ C#

This article applies to: ✅ Basic/Standard ✅ Enterprise

This article describes how to customize an instance's egress route to support custom network scenarios. For example, you might want to customize an instance's egress route for networks that disallow public IPs and require the instance to sit behind a network virtual appliance (NVA).

By default, Azure Spring Apps provisions a Standard SKU Load Balancer that you can set up and use for egress. However, the default setup may not meet the requirements of all scenarios. For example, public IPs may not be allowed, or more hops may be required for egress. When you use this feature to customize egress, Azure Spring Apps doesn't create public IP resources.

Prerequisites

Limitations

  • You can only define OutboundType when you create a new Azure Spring Apps service instance, and you can't updated it afterwards. OutboundType works only with a virtual network.
  • Setting outboundType to UserDefinedRouting requires a user-defined route with valid outbound connectivity for your instance.
  • Setting outboundType to UserDefinedRouting implies that the ingress source IP routed to the load-balancer may not match the instance's outgoing egress destination address.

Overview of outbound types in Azure Spring Apps

You can customize an Azure Spring Apps instance with a unique outboundType of type loadBalancer or userDefinedRouting.

Outbound type loadBalancer

The default outboundType value is loadBalancer. If outboundType is set to loadBalancer, Azure Spring Apps automatically configures egress paths and expects egress from the load balancers created by the Azure Spring Apps resource provider. Two load balancers are recreated: one for the service runtime and another for the user app. A public IP address is provisioned for each load balancer. The load balancer is used for egress traffic for the generated public IP.

Outbound type userDefinedRouting

Note

Using an outbound type is an advanced networking scenario and requires proper network configuration.

If outboundType is set to userDefinedRouting, Azure Spring Apps doesn't automatically configure egress paths. You must set up egress paths yourself. You could still find two load balancers in your resource group. They're only used for internal traffic and don't expose any public IP. You must prepare two route tables associated with two subnets: one to service the runtime and another for the user app.

Important

An outboundType of userDefinedRouting requires a route for 0.0.0.0/0 and the next hop destination of a network virtual appliance in the route table. For more information, see Customer responsibilities for running Azure Spring Apps in a virtual network.

See also