| title | description | services | author | ms.service | ms.custom | ms.topic | ms.date | ms.author | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|
Provide an internal virtual network to an Azure Container Apps environment |
Learn how to provide an internal VNET to an Azure Container Apps environment. |
container-apps |
craigshoemaker |
container-apps |
event-tier1-build-2022 |
how-to |
06/07/2022 |
cshoe |
azure-cli-or-portal |
The following example shows you how to create a Container Apps environment in an existing virtual network.
Important
Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see Outbound FQDN dependencies.
::: zone pivot="azure-portal"
[!INCLUDE container-apps-create-portal-steps.md]
-
Select the Networking tab to create a VNET.
-
Select Yes next to Use your own virtual network.
-
Next to the Virtual network box, select the Create new link and enter the following value.
Setting Value Name Enter my-custom-vnet. -
Select the OK button.
-
Next to the Infrastructure subnet box, select the Create new link and enter the following values:
Setting Value Subnet Name Enter infrastructure-subnet. Virtual Network Address Block Keep the default values. Subnet Address Block Keep the default values. -
Select the OK button.
-
Under Virtual IP, select Internal.
-
Select Create.
[!INCLUDE container-apps-create-portal-deploy.md]
::: zone-end
::: zone pivot="azure-cli"
- Azure account with an active subscription.
- If you don't have one, you can create one for free.
- Install the Azure CLI version 2.28.0 or higher.
[!INCLUDE container-apps-create-cli-steps.md]
Next, declare a variable to hold the VNET name.
VNET_NAME="my-custom-vnet"$VNET_NAME="my-custom-vnet"Now create an instance of the virtual network to associate with the Container Apps environment. The virtual network must have two subnets available for the container app instance.
Note
You can use an existing virtual network, but two empty subnets are required to use with Container Apps.
az network vnet create \
--resource-group $RESOURCE_GROUP \
--name $VNET_NAME \
--location $LOCATION \
--address-prefix 10.0.0.0/16
az network vnet subnet create \
--resource-group $RESOURCE_GROUP \
--vnet-name $VNET_NAME \
--name infrastructure \
--address-prefixes 10.0.0.0/23
az network vnet create `
--resource-group $RESOURCE_GROUP `
--name $VNET_NAME `
--location $LOCATION `
--address-prefix 10.0.0.0/16az network vnet subnet create `
--resource-group $RESOURCE_GROUP `
--vnet-name $VNET_NAME `
--name infrastructure-subnet `
--address-prefixes 10.0.0.0/23With the VNET established, you can now query for the VNET and infrastructure subnet ID.
VNET_RESOURCE_ID=`az network vnet show --resource-group ${RESOURCE_GROUP} --name ${VNET_NAME} --query "id" -o tsv | tr -d '[:space:]'`INFRASTRUCTURE_SUBNET=`az network vnet subnet show --resource-group ${RESOURCE_GROUP} --vnet-name $VNET_NAME --name infrastructure-subnet --query "id" -o tsv | tr -d '[:space:]'`$VNET_RESOURCE_ID=(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)$INFRASTRUCTURE_SUBNET=(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name infrastructure-subnet --query "id" -o tsv)Finally, create the Container Apps environment with the VNET and subnet.
az containerapp env create \
--name $CONTAINERAPPS_ENVIRONMENT \
--resource-group $RESOURCE_GROUP \
--location "$LOCATION" \
--infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET \
--internal-only
az containerapp env create `
--name $CONTAINERAPPS_ENVIRONMENT `
--resource-group $RESOURCE_GROUP `
--location "$LOCATION" `
--infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET `
--internal-onlyNote
As you call az conatinerapp create to create the container app inside your environment, make sure the value for the --image parameter is in lower case.
The following table describes the parameters used in for containerapp env create.
| Parameter | Description |
|---|---|
name |
Name of the Container Apps environment. |
resource-group |
Name of the resource group. |
logs-workspace-id |
(Optional) The ID of an existing the Log Analytics workspace. If omitted, a workspace will be created for you. |
logs-workspace-key |
The Log Analytics client secret. Required if using an existing workspace. |
location |
The Azure location where the environment is to deploy. |
infrastructure-subnet-resource-id |
Resource ID of a subnet for infrastructure components and user application containers. |
internal-only |
(Optional) The environment doesn't use a public static IP, only internal IP addresses available in the custom VNET. (Requires an infrastructure subnet resource ID.) |
With your environment created using your custom virtual network, you can deploy container apps into the environment using the az containerapp create command.
You have the option of deploying a private DNS and defining custom networking IP ranges for your Container Apps environment.
If you want to deploy your container app with a private DNS, run the following commands.
First, extract identifiable information from the environment.
ENVIRONMENT_DEFAULT_DOMAIN=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query defaultDomain --out json | tr -d '"'`ENVIRONMENT_STATIC_IP=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query staticIp --out json | tr -d '"'`VNET_ID=`az network vnet show --resource-group ${RESOURCE_GROUP} --name ${VNET_NAME} --query id --out json | tr -d '"'`$ENVIRONMENT_DEFAULT_DOMAIN=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query defaultDomain -o tsv)$ENVIRONMENT_STATIC_IP=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query staticIp -o tsv)$VNET_ID=(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query id -o tsv)Next, set up the private DNS.
az network private-dns zone create \
--resource-group $RESOURCE_GROUP \
--name $ENVIRONMENT_DEFAULT_DOMAIN
az network private-dns link vnet create \
--resource-group $RESOURCE_GROUP \
--name $VNET_NAME \
--virtual-network $VNET_ID \
--zone-name $ENVIRONMENT_DEFAULT_DOMAIN -e true
az network private-dns record-set a add-record \
--resource-group $RESOURCE_GROUP \
--record-set-name "*" \
--ipv4-address $ENVIRONMENT_STATIC_IP \
--zone-name $ENVIRONMENT_DEFAULT_DOMAIN
az network private-dns zone create `
--resource-group $RESOURCE_GROUP `
--name $ENVIRONMENT_DEFAULT_DOMAINaz network private-dns link vnet create `
--resource-group $RESOURCE_GROUP `
--name $VNET_NAME `
--virtual-network $VNET_ID `
--zone-name $ENVIRONMENT_DEFAULT_DOMAIN -e trueaz network private-dns record-set a add-record `
--resource-group $RESOURCE_GROUP `
--record-set-name "*" `
--ipv4-address $ENVIRONMENT_STATIC_IP `
--zone-name $ENVIRONMENT_DEFAULT_DOMAINThere are three optional networking parameters you can choose to define when calling containerapp env create. Use these options when you have a peered VNET with separate address ranges. Explicitly configuring these ranges ensures the addresses used by the Container Apps environment doesn't conflict with other ranges in the network infrastructure.
You must either provide values for all three of these properties, or none of them. If they aren’t provided, the CLI generates the values for you.
| Parameter | Description |
|---|---|
platform-reserved-cidr |
The address range used internally for environment infrastructure services. Must have a size between /21 and /12. |
platform-reserved-dns-ip |
An IP address from the platform-reserved-cidr range that is used for the internal DNS server. The address can't be the first address in the range, or the network address. For example, if platform-reserved-cidr is set to 10.2.0.0/16, then platform-reserved-dns-ip can't be 10.2.0.0 (the network address), or 10.2.0.1 (infrastructure reserves use of this IP). In this case, the first usable IP for the DNS would be 10.2.0.2. |
docker-bridge-cidr |
The address range assigned to the Docker bridge network. This range must have a size between /28 and /12. |
-
The
platform-reserved-cidranddocker-bridge-cidraddress ranges can't conflict with each other, or with the ranges of either provided subnet. Further, make sure these ranges don't conflict with any other address range in the VNET. -
If these properties aren’t provided, the CLI autogenerates the range values based on the address range of the VNET to avoid range conflicts.
::: zone-end
If you're not going to continue to use this application, you can delete the Azure Container Apps instance and all the associated services by removing the my-container-apps resource group. Deleting this resource group will also delete the resource group automatically created by the Container Apps service containing the custom network components.
::: zone pivot="azure-cli"
az group delete \
--name $RESOURCE_GROUP
az group delete `
--name $RESOURCE_GROUP
::: zone-end
-
For more information about configuring your private endpoints, see What is Azure Private Endpoint.
-
To set up DNS name resolution for internal services, you must set up your own DNS server.
[!div class="nextstepaction"] Managing autoscaling behavior