Configure HTTPS ingress in Azure Container Apps
By: Date: 06/12/2021 Categories: azure Tags:

By enabling ingress, Azure Container Apps enables you to expose your container app to the public web. You don’t need to construct an Azure Load Balancer, a public IP address, or any other Azure resources in order to permit inbound HTTPS requests when you enable ingress.

You can enable ingress for your container app in the following ways:

  • Allows for TLS termination
  • supports both HTTP/1.1 and HTTP/2 gRPC and WebSocket
  • TLS 1.2 is always used by HTTPS endpoints and is terminated at the ingress point.
  • Ports 80 (for HTTP) and 443 are always made available by endpoints (for HTTPS).
  • By default, HTTP requests made on port 80 are routed to HTTPS requests made on port 443.
  • The request has a 240-second timeout.

Implementation

Application-wide settings include ingress. All revisions are affected concurrently by changes to ingress settings, and no new revisions are created.

Azure Container Apps provides HTTPS ingress with TLS termination as a built-in feature, configurable as part of your application configuration. You do not need to create an Azure load balancer, public IP address, or any other Azure resources to enable HTTPS ingress.

Domain names and IP addresses

Your application receives a fully qualified domain name when ingress is enabled (FQDN). The domain name can be one of the following:

Ingress visibility settingFully qualified domain name
External<APP_NAME>.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io
Internal<APP_NAME>.internal.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io

For applications with external ingress visibility in your Container Apps environment, there is a single public IP address, and for those with internal ingress visibility, there is a single internal IP address. As a result, each application in a Container Apps environment that has access to external ingress data uses the same public IP address. Similar to this, every app in a Container Apps environment with internal ingress visibility uses the same internal IP address. The FQDN in the host header determines which applications receive HTTP traffic.


Ingress visibility settingFully qualified domain name
External<APP_NAME>.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io
Internal<APP_NAME>.internal.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecont