HA Configuration in AKS: System and Worker Nodes Across Multiple Availability Zones
May 9, 2025Your First GraphRAG Demo – A Video Walkthrough
May 10, 2025
Introduction
Azure Container Apps offers a robust platform for deploying microservices and containerized applications. When integrating with Azure Application Gateway, an internal container app environment can be accessed via public internet. Users often bind custom domains to enhance accessibility and user experience. A common challenge arises when we bind the custom domain on Application Gateway and try to access container app. Container app is acting as a middleware service and needs to forward request to another API server or finish authentication process, users may encountered HTTP 403 forbidden error which is caused by hostname/redirect URL mismatch. What’s more, you definitely don’t want to expose your backend service default domain. This blog explores these challenges and offers practical solutions.
Why do we encounter this kind of issue:
By following our documentation Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft Learn, we put the application gateway in front of internal container app, custom domain was resolved to application gateway public IP, and we use default domain of container app as backend pool. When application gateway receives the custom domain request, it will route the request to container app via its default domain. So far, everything seems normal, and users can successfully access the internal container app through the Internet via the custom domain name.
However, if the container app is a middleware service, or authentication is required, we will see that the container app use its default domain name to redirect, which often results in a 403 forbidden error due to hostname/redirect URL mismatch.
Proposed Solutions
To resolve this issue and ensure seamless integration between Azure Container Apps and other services, consider the following steps:
1. Bind custom domain on container app as well.
We need to go to container app portal–>Custom domains to add the same custom domain as application gateway. This is internal container app, so we don’t need to worry about domain name duplication.
2. Modify Backend setting in application gateway.
Navigate to application gateway–>backend settings–>we select override with specific domain name and put your custom domain in Host name.
3. Now, container app is able to reach another service or finish authentication with custom domain.
Reference: