Azure Container Apps as Azure Traffic Manager external endpoint doesn't work

[KarenTazayan]

I cannot run it as an external endpoint with FQDN when using a Container Apps Environment with vnet. I get [HTTP/1.1 404 Not Found] even if the endpoint monitor status is "Online".

Steps to reproduce

1. Create Container Apps Environment in custom azure vnet.
2. Create Azure Container Apps with sample HTTP web app.
3. Create Azure Traffic Manager with the weighted distribution.
4. Add Container App FQDN as an external endpoint.

Actual behavior

HTTP/1.1 404 Not Found

[SophCarp]

Hi Karen! Troubleshooting question, is your ingress properly set up?

Documentation for ingress: https://learn.microsoft.com/en-us/azure/container-apps/ingress?tabs=bash
Docs for setting up a custom Vnet: https://learn.microsoft.com/en-us/azure/container-apps/firewall-integration

[KarenTazayan]

Hi @SophCarp! Thank you for the response. Yes, of course. It is available from internet. Just deployed this sample from my repo: https://ctap-shoppingapp-ui-sa1.kindbush-93c4adc7.francecentral.azurecontainerapps.io/

You can see all my settings here.

[SophCarp]

@KarenTazayan hmmm, I'm not sure I have access. Neither link worked for me. Could you check that I can access the repo? Thank you!

[KarenTazayan]

@SophCarp it doesn't matter. I regenerate it for each clean deployment. One more new link:
https://ctap-shoppingapp-ui-sa1.orangesky-0bae0173.francecentral.azurecontainerapps.io

[sebafo]

Traffic Manager is a “simple” DNS-based traffic load balancer. The doc states that “Traffic Manager uses DNS to direct client requests to the appropriate service endpoint based on a traffic-routing method“.

I guess you haven't enabled insecure connections to your Container App. (this can be configured in the ingress blade of your Container App)

Things to consider:

• You have to configure the Traffic Manager Endpoint probe to use HTTPS and port 443 (or add HTTP 301 as a valid response code) Otherwise the endpoint is degraded and not used at all. Troubleshooting degraded status on Azure Traffic Manager | Microsoft Learn
• If you want to access your Container App with the Traffic Manager URL, this won’t work, because the certificate is invalid for the Traffic Manager domain. (and the Ingress controller of Container Apps won't handle this URL)
• To use Traffic Manager in a TLS scenario you have to create an alias record to support apex domain names Tutorial: Create an alias record to support apex domain name with Traffic Manager - Azure DNS | Microsoft Learn
• You can’t add this to the integrated Container Apps domain, so you have to provide your own custom domain for Container Apps.

I haven’t got a demo ready but here is a simple walkthrough how to use Traffic Manager with Container Apps.

• Create Container App (+ Container Apps Environment)
• Enable Ingress and accept traffic from anywhere (Traffic Manager can only work with internet facing services)
• Create a Traffic Manager profile and point the endpoint to the URL of your Container App (check in the overview blade of your Container App)
• Add an alias record to your DNS zone Tutorial: Create an alias record to support apex domain name with Traffic Manager - Azure DNS | Microsoft Learn
• Add a custom domain to your Container App (your alias of your DNS zone, with the Traffic Manager alias).
  • Select CNAME and create the TXT record in your DNS zone – validate your settings
  • Add a valid certificate for your domain
• Use the URL you have defined as an alias for the Traffic Manager profile, which you have specified in your DNS zone: Done.

Hope this helps.

One option to improve this journey might be to integrate some of those steps in a Container Apps managed environment directly. But I don’t know if anything like this is planned in the future.

[SophCarp]

Thanks @sebafo! @KarenTazayan Does their comment help?

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

[KarenTazayan]

@sebafo thank you very much for the detailed answer!

I guess you haven't enabled insecure connections to your Container App. (this can be configured in the ingress blade of your Container App)

I did it before writing this topic.

You have to configure the Traffic Manager Endpoint probe to use HTTPS and port 443 (or add HTTP 301 as a valid response code) Otherwise the endpoint is degraded and not used at all. Troubleshooting degraded status on Azure Traffic Manager | Microsoft Learn

Also, I did it before writing this topic.

If you want to access your Container App with the Traffic Manager URL, this won’t work, because the certificate is invalid for the Traffic Manager domain. (and the Ingress controller of Container Apps won't handle this URL)

The point above is essential for me (that is the issue for me and the reason that I wrote this topic) because I do different demos and workshops and it's inconvenient to register different kinds of domains and buy certificates for those purposes. As I understand the custom DNS name and certificate are required otherwise it won't work. Am I, right?

[sebafo]

As I understand the custom DNS name and certificate are required otherwise it won't work. Am I, right?

Yes, I don't know any other solution at the moment. The certificate and URL challenge appears regularly in the Traffic Manager context. Some managed services help to abstract this and provide additional options to mitigate the issue on the customer side. For example in an Azure App Service you can add a binding to the Traffic Manager URL in your custom domains and let the service create a certificate for the URL. After this step you can use the Traffic Manager domain to access your App Service without an invalid certificate error. Great for demo purposes, but perhaps not the best solution for a real world scenario to use the trafficmanager.net domain.

That isn't possible for Container Apps (yet?).

A feature request could be:
Integrate the "Azure App Service custom domain Traffic Manager Binding"-feature as a custom domains feature of Container Apps. :)

Edit:
Perhaps this could be integrated into an already planned feature: #509

[KarenTazayan]

Perhaps this could be integrated into an already planned feature: #509

It will be great. Thank you for the assistance!

[SophCarp]

This can be tracked on our official roadmap in issue #607

[stewones]

Facing the same here and unfortunately as per described above ^ we need to delegate all DNS shit to azure. so basically unusable if you use CloudFlare and can't leave.

[WretchedDade]

@sebafo, is there any change in the suggested workaround/setup with the preview of managed certificates?

My domain isn't hosted in Azure DNS so I think my issue is coming from this step in particular:

• To use Traffic Manager in a TLS scenario you have to create an alias record to support apex domain names Tutorial: Create an alias record to support apex domain name with Traffic Manager - Azure DNS | Microsoft Learn

I have set up a CNAME to my .trafficmanager.net url and, from what I can tell, it is correctly resolving to the container app, but when trying to navigate there I either get a 403 (when http) and ERR_CONNECTION_RESET (when https).

[rahu431]

I’m also facing the same issue when I try to add the endpoint of an Azure Static Web App and Azure Container App into Azure Traffic Manager; it’s not working. Despite seeing ‘https’ in ‘https://signa-dart-container-app.thankfulhill-c740cb1e.australiaeast.azurecontainerapps.io’, it’s still not functioning. However, if I use another domain that is hosted on a different hosting service, it works.

From a user’s perspective, it’s unacceptable that the Azure FQDN is useless within Azure services. There seems to be no point in this.