Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
How do I configure an inbound NAT rule in Azure Firewall to point at an Azure Container App?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 0%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECF%3C/text%3E%3C/svg%3E)
Christopher Febles
0
Reputation points
The instructions to filter inbound traffic uses a Virtual Machine with a private IP address. If I set up a Container Apps Environment with a subnet and a Container App with VNet only ingress, the Container App replica doesn't have a private IP available. If I point the NAT rule at the Container App Environment's private IP address, requests aren't routed correctly to the Container App.
I'm using Terraform, but I've also tried creating the NAT rule with the CLI - I attempted to point at the --translated-fqdn of the Container App instead of the Container App Environment's IP address. This didn't seem to work either.
Is there any way to accomplish this?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,291 Reputation points Microsoft Employee2024-10-15T00:36:59.0566667+00:00 Thank you for reaching out. If I understand correctly, you are configuring Azure Firewall in front of your Azure container app for inbound connection i.e internet connection to your container app.If my understanding above is correct then, using a Azure Firewall is not recommended in this case and an Azure Application Gateway should be used instead beacuse
- Azure Application Gateway is a layer 7 proxy and it offers end to end TLS encryption for inbound connections i.e from the internet.
- You can also enable a Web Application Firewall on Azure Application Gateway actively safeguards your web applications against common exploits and vulnerabilities. As web applications become more frequent targets for malicious attacks, these attacks often exploit well-known vulnerabilities such as SQL injection and cross-site scripting.
- There is no need to configure NAT is this case as you can directly add the Container app as its backend pool member. This article demonstrates how to protect your container apps using a Web Application Firewall (WAF) on Azure Application Gateway with an internal Container Apps environment.
Azure Firewall is recommended for outbound connections i.e connections originating from your container app which can be accomplished using User Defined Routes as showcased here.
Hope this helps. Please let me know if you have any additional questions or there is any other scenario you are trying to accomplish here. A network diagram will also help if you have any additional questions. Thanks
-
Christopher Febles 0 Reputation points
2024-10-16T16:29:51.59+00:00 Will the combination of Web Application Firewall and Application Gateway work for gRPC services hosted in Container Apps? gRPC is basically just an HTTP/2 request, but I don't think requests can really be inspected in the same way as "regular" HTTP traffic.
-
ChaitanyaNaykodi-MSFT 26,291 Reputation points Microsoft Employee
2024-10-30T00:13:36.7366667+00:00 Thank you for getting back and apologies for the delay here.
Will the combination of Web Application Firewall and Application Gateway work for gRPC services hosted in Container Apps? gRPC is basically just an HTTP/2 request, but I don't think requests can really be inspected in the same way as "regular" HTTP traffic.
In this case Web Application Firewall and Application Gateway will not work in this scenario.gRPC is supported on Application Gateway for Containers but currently it does not provide a WAF offering. More details here.
In this case, please let me know if you are going to proceed with Azure Firewall set-up above a network diagram will help in troubleshooting this issue.
Thank you!
-
Christopher Febles 0 Reputation points
2024-10-30T18:18:03.0833333+00:00 Thanks for all your help. Based on this information, I think I'll end up using Azure Firewall only for outgoing traffic.
-
Christopher Febles 0 Reputation points
2024-10-30T18:20:29.58+00:00 Thanks for your help! I think my last comment got lost, so apologies if this is a duplicate. Based on this information, I'll just use Azure Firewall for outgoing traffic and not incoming.
Sign in to comment
Sign in to answer