0

I’m in a bit of a pickle and could really use some help with the following:

I have a Container Apps Environment integrated into a private VNET with a dedicated subnet and ILB enabled. I’ve deployed a few container apps (let’s call them app1, app2, and app3) into this ACA Environment. I’ve already set up a Private DNS Zone for the ACA Env domain (let’s call it env.containerapps.io), created an A record pointing @ to the static IP of the environment, and linked it to my VNET.

At this point, I can access my apps within the VNET using app1.env.containerapps.io, app2.env.containerapps.io, and app3.env.containerapps.io.

Now, I want to expose these apps to the internet using an Application Gateway. End-to-end encryption and custom domains for my ACA Env aren’t important right now.

I’ve purchased a domain (mydomain.com) from another provider and created a wildcard self-signed certificate for *.mydomain.com. I also created a static public IP address and configured the frontend on my Application Gateway to use this certificate.

At this stage, I believe creating a separate backend pool and HTTP listener for each app could work. Something like this: app1.mydomain.com HTTP listener (Basic type) -> Backend address pool for app1.env.containerapps.io with "Pick host name from backend address" set to True. (And similar configurations for app2 and app3.)

However, I’m wondering if there’s a way to override the hostname while preserving the subdomain—something like: whatever.mydomain.com -> whatever.env.containerapps.io

I’ve been experimenting with multi-site listeners (single or wildcard) and backend pools without subdomain-specific configurations, but nothing seems to work.

Has anyone set up something similar or have any tips on how to make this work? I’d appreciate any help!

Improve this question
3
  • Could you kindly check by adding a wildcard CNAME (*.mydomain.com) pointing to the Application Gateway's public IP. Commented Dec 3, 2024 at 7:02
  • 1
    Just tried adding multiple targets (app1.env.containerapps.io, app2.env.containerapps.io, app3.env.containerapps.io) to a single backend pool and configure the listener to be of Multiple/Wildcard type with *.mydomain.com. This seems to work. allowing me to route traffic based on the subdomain. I'll test further and report here. Commented Dec 3, 2024 at 12:29
  • If you use Application Gateway as the reverse proxy, you can ensure that the original host name is preserved by disabling Override with new host name on the back-end HTTP setting. Commented Dec 4, 2024 at 11:30

1 Answer 1

Reset to default
0

Your approach of creating separate backend pools and HTTP listeners for each app aligns better with their requirements, particularly given their explicit mention of using multiple backend pools and ensuring hostname preservation.. Found a similar article from MS QnA which provides better clarity.

As discussed, to expose your container apps (app1, app2, app3) via an Application Gateway with subdomain mapping while preserving the original hostnames. Would recommend configuring your AppGW to add the endpoints app1.env.containerapps.io, app2.env.containerapps.io, and app3.env.containerapps.io to their respective backend pools (BackendPool-App1, BackendPool-App2, BackendPool-App3). Create listeners for each subdomain (app1.mydomain.com, app2.mydomain.com, and app3.mydomain.com) and use the wildcard certificate for *.mydomain.com to handle TLS for all subdomains.

Set "Override with new host name" to "No"

enter image description here

why?

because this will ensure the original hostname (app1.mydomain.com) is preserved and sent to the backend app (app1.env.containerapps.io).

Finally update your dns provider pointing to the public IP of your AppGW

Basically, with the wildcard listener to route traffic based on subdomains it should look like this-

app1.mydomain.com -> app1.env.containerapps.io

same for app2 and 3

As per MS doc-Application Gateway multi-site hosting, Application Gateway handles subdomain-based routing automatically without needing separate listeners for each app.

enter image description here

You've already experimented with adding multiple targets to a single backend pool and configured the listener as a wildcard. This approach should allow you to achieve the desired routing behavior. Please feel free to add any further points you feel necessary to update the answer for folks looking for similar fix on Stack overflow community.

Reference docs from MS

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for the help! I ended up creating separate backend pools and listeners for each service, while also configuring my custom domain (mydomain.com) for the ContainerApp environment. This way the Host header stays the same in all the transmissions. Found this to be the Microsoft recommendation as well. However, this approach requires setting up a custom probe, otherwise the backend pools would be marked as Unhealthy for the reason I don’t understand.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.