Provide a virtual network to an Azure Container Apps environment

The following example shows you how to create a Container Apps environment in an existing virtual network (VNet).

Begin by signing in to the Azure portal.

Create a container app

To create your container app, start at the Azure portal home page.

  1. Search for Container Apps in the top search bar.
  2. Select Container Apps in the search results.
  3. Select the Create button.

Basics tab

In the Basics tab, do the following actions.

  1. Enter the following values in the Project details section.

    Setting Action
    Subscription Select your Azure subscription.
    Resource group Select Create new and enter my-container-apps.
    Container app name Enter my-container-app.

Create an environment

Next, create an environment for your container app.

  1. Select the appropriate region.

    Setting Value
    Region Select China North 3.
  2. In the Create Container Apps environment field, select the Create new link.

  3. In the Create Container Apps Environment page on the Basics tab, enter the following values:

    Setting Value
    Environment name Enter my-environment.
    Environment type Select Consumption only.
    Zone redundancy Select Disabled
  4. Select the Monitoring tab to create a Log Analytics workspace.

  5. Select Azure Log Analytics as the Logs Destination.

  6. Select the Create new link in the Log Analytics workspace field and enter the following values.

    Setting Value
    Name Enter my-container-apps-logs.

    The Location field is prefilled with China North 3 for you.

  7. Select OK.

You also have the option of deploying a private DNS for your Container Apps environment. For more information see Create and configure an Azure Private DNS zone.

Create a virtual network

Note

To use a VNet with Container Apps, the VNet must have a dedicated subnet with a CIDR range of /23 or larger when using the Consumption only environemnt, or a CIDR range of /27 or larger when using the workload profiles environment. To learn more about subnet sizing, see the networking architecture overview.

  1. Select the Networking tab.

  2. Select Yes next to Use your own virtual network.

  3. Next to the Virtual network box, select the Create new link and enter the following value.

    Setting Value
    Name Enter my-custom-vnet.
  4. Select the OK button.

  5. Next to the Infrastructure subnet box, select the Create new link and enter the following values:

    Setting Value
    Subnet Name Enter infrastructure-subnet.
    Virtual Network Address Block Keep the default values.
    Subnet Address Block Keep the default values.
  6. Select the OK button.

  7. Under Virtual IP, select External for an external environment, or Internal for an internal environment.

  8. Select Create.

Deploy the container app

  1. Select Review and create at the bottom of the page.

    If no errors are found, the Create button is enabled.

    If there are errors, any tab containing errors is marked with a red dot. Navigate to the appropriate tab. Fields containing an error are highlighted in red. Once all errors are fixed, select Review and create again.

  2. Select Create.

    A page with the message Deployment is in progress is displayed. Once the deployment is successfully completed, you see the message: Your deployment is complete.

Prerequisites

Setup

To sign in to Azure from the CLI, run the following command and follow the prompts to complete the authentication process.

az cloud set -n AzureChinaCloud
az login
# az cloud set -n AzureCloud   //means return to Public Azure.

To ensure you're running the latest version of the CLI, run the upgrade command.

az upgrade

Next, install or update the Azure Container Apps extension for the CLI.

If you receive errors about missing parameters when you run az containerapp commands in Azure CLI or cmdlets from the Az.App module in Azure PowerShell, be sure you have the latest version of the Azure Container Apps extension installed.

az extension add --name containerapp --upgrade

Note

Starting in May 2024, Azure CLI extensions no longer enable preview features by default. To access Container Apps preview features, install the Container Apps extension with --allow-preview true.

az extension add --name containerapp --upgrade --allow-preview true

Now that the current extension or module is installed, register the Microsoft.App and Microsoft.OperationalInsights namespaces.

Note

Azure Container Apps resources have migrated from the Microsoft.Web namespace to the Microsoft.App namespace. Refer to Namespace migration from Azure.Web to Microsoft.App in March 2022 for more details.

az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.OperationalInsights

Set environment variables

Set the following environment variables. Replace the <PLACEHOLDERS> with your values:

RESOURCE_GROUP="<RESOURCE_GROUP>"
LOCATION="<LOCATION>"
CONTAINERAPPS_ENVIRONMENT="<CONTAINERAPPS_ENVIRONMENT>"

Create an Azure resource group

Create a resource group to organize the services related to your container app deployment.

az group create \
  --name $RESOURCE_GROUP \
  --location "$LOCATION"

Create an environment

An environment in Azure Container Apps creates a secure boundary around a group of container apps. Container Apps deployed to the same environment are deployed in the same virtual network and write logs to the same Log Analytics workspace.

Register the Microsoft.ContainerService provider.

az provider register --namespace Microsoft.ContainerService

Declare a variable to hold the VNet name.

VNET_NAME="my-custom-vnet"

Now create a virtual network to associate with the Container Apps environment. The virtual network must have a subnet available for the environment deployment.

az network vnet create \
  --resource-group $RESOURCE_GROUP \
  --name $VNET_NAME \
  --location $LOCATION \
  --address-prefix 10.0.0.0/16
az network vnet subnet create \
  --resource-group $RESOURCE_GROUP \
  --vnet-name $VNET_NAME \
  --name infrastructure-subnet \
  --address-prefixes 10.0.0.0/23

When using the Workload profiles environment, you need to update the VNet to delegate the subnet to Microsoft.App/environments. This delegation is not needed for the Consumption-only environment.

az network vnet subnet update \
  --resource-group $RESOURCE_GROUP \
  --vnet-name $VNET_NAME \
  --name infrastructure-subnet \
  --delegations Microsoft.App/environments

With the virtual network created, you can now query for the infrastructure subnet ID.

INFRASTRUCTURE_SUBNET=`az network vnet subnet show --resource-group ${RESOURCE_GROUP} --vnet-name $VNET_NAME --name infrastructure-subnet --query "id" -o tsv | tr -d '[:space:]'`

Finally, create the Container Apps environment using the custom VNet.

To create the environment, run the following command. To create an internal environment, add --internal-only.

az containerapp env create \
  --name $CONTAINERAPPS_ENVIRONMENT \
  --resource-group $RESOURCE_GROUP \
  --location "$LOCATION" \
  --infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET

The following table describes the parameters used with containerapp env create.

Parameter Description
name Name of the Container Apps environment.
resource-group Name of the resource group.
logs-workspace-id (Optional) The ID of an existing Log Analytics workspace. If omitted, a workspace is created for you.
logs-workspace-key The Log Analytics client secret. Required if using an existing workspace.
location The Azure location where the environment is to deploy.
infrastructure-subnet-resource-id Resource ID of a subnet for infrastructure components and user application containers.
internal-only (Optional) The environment doesn't use a public static IP, only internal IP addresses available in the custom VNet. (Requires an infrastructure subnet resource ID.)

Optional configuration

You have the option of deploying a private DNS and defining custom networking IP ranges for your Container Apps environment.

Deploy with a private DNS

If you want to deploy your container app with a private DNS, run the following commands.

First, extract identifiable information from the environment.

ENVIRONMENT_DEFAULT_DOMAIN=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query properties.defaultDomain --out json | tr -d '"'`
ENVIRONMENT_STATIC_IP=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query properties.staticIp --out json | tr -d '"'`
VNET_ID=`az network vnet show --resource-group ${RESOURCE_GROUP} --name ${VNET_NAME} --query id --out json | tr -d '"'`

Next, set up the private DNS.

az network private-dns zone create \
  --resource-group $RESOURCE_GROUP \
  --name $ENVIRONMENT_DEFAULT_DOMAIN
az network private-dns link vnet create \
  --resource-group $RESOURCE_GROUP \
  --name $VNET_NAME \
  --virtual-network $VNET_ID \
  --zone-name $ENVIRONMENT_DEFAULT_DOMAIN -e true
az network private-dns record-set a add-record \
  --resource-group $RESOURCE_GROUP \
  --record-set-name "*" \
  --ipv4-address $ENVIRONMENT_STATIC_IP \
  --zone-name $ENVIRONMENT_DEFAULT_DOMAIN

Networking parameters

There are three optional networking parameters you can choose to define when calling containerapp env create. Use these options when you have a peered VNet with separate address ranges. Explicitly configuring these ranges ensures the addresses used by the Container Apps environment don't conflict with other ranges in the network infrastructure.

You must either provide values for all three of these properties, or none of them. If they aren't provided, the values are generated for you.

Parameter Description
platform-reserved-cidr The address range used internally for environment infrastructure services. Must have a size between /23 and /12 when using the Consumption only environment
platform-reserved-dns-ip An IP address from the platform-reserved-cidr range that is used for the internal DNS server. The address can't be the first address in the range, or the network address. For example, if platform-reserved-cidr is set to 10.2.0.0/16, then platform-reserved-dns-ip can't be 10.2.0.0 (the network address), or 10.2.0.1 (infrastructure reserves use of this IP). In this case, the first usable IP for the DNS would be 10.2.0.2.
docker-bridge-cidr The address range assigned to the Docker bridge network. This range must have a size between /28 and /12.
  • The platform-reserved-cidr and docker-bridge-cidr address ranges can't conflict with each other, or with the ranges of either provided subnet. Further, make sure these ranges don't conflict with any other address range in the VNet.

  • If these properties aren't provided, the CLI autogenerates the range values based on the address range of the VNet to avoid range conflicts.

Clean up resources

If you're not going to continue to use this application, you can delete the my-container-apps resource group. This deletes the Azure Container Apps instance and all associated services. It also deletes the resource group that the Container Apps service automatically created and which contains the custom network components.

Caution

The following command deletes the specified resource group and all resources contained within it. If resources outside the scope of this guide exist in the specified resource group, they will also be deleted.

az group delete --name $RESOURCE_GROUP

Additional resources

  • To use VNet-scope ingress, you must set up DNS.

Next steps