adaptive.run TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

Connecting to a Container App Environment from Azure Front Door

Level: 300
Publishing date: 20-Feb-2026
Author: Catalin Popa


If you’ve ever deployed Azure Container Apps, you’ve for sure wondered how you can protect them in a secure manner. And the easiest way to expose them securely on the internet is to place in front of your Container App(s) a Front Door endpoint that has a WAF policy.

FYI – for the rest of the article, it’s implied that we are only discussing here Container App Environments that are set as “internal”, integrated in VNETs and with no direct access from the outside world.

Up until now, Azure Container App Environments (basically the instance that is hosting your Container Apps) could have been either on “Consumption mode” or based on “Workload profiles”.

But, recent updates from Microsoft (mid-2025, to be more precise), made the “Consumption mode” deprecated, now all Container App Environments infrastructure being available as “Workload profiles”.

I know what you’re thinking: “so they’re basically forcing me to choose something that is prepaid, instead of a pay-as-you-use model such as the consumption one”? Well… the response to that is “yes and no”.

Now, when you build an Azure Container App Environment, although the infrastructure is set on “Workload profiles”, the default profile that is being created (unless you specifically create a workload profile):


Mobirise
azure.microsoft.com
Now, given that this has changed, it actually means that you can’t really connect to your Container App Environment anymore as you would have connected up until now (at least, for the Consumption based ones).
Up until now, the technical way of connecting privately from a Front Door was to create a Private Link Service on the Container App Environment, then connect your Azure Front Door endpoint to that Private Link Service:


Mobirise
azure.microsoft.com
But that isn’t really possible anymore, because creating a Private Link Service on the Load Balancer of the Container App Environment set on “Workload Profiles” isn’t something that works.
So, therefore, Azure Front Door had to step up and enable this feature, somehow – and for that, Microsoft delivered – now, Azure Front Door supports direct integration to a Container App Environment. When creating an origin in Azure Front Door, you can directly reference your Container App Environment:


Mobirise
azure.microsoft.com
Once the origin is created, it basically send a Private Endpoint request directly to the Container App Environment:

Mobirise
azure.microsoft.com
NOTE though that this will have to be approved after the origin is being created.

By performing all these steps, you now have a secure way to expose your internal Container Apps!


Mobirise
adaptive.run

Transform your business.
Run adaptive.

Contact

Phone: +40 73 523 0005
Email: hello@adaptive.run

Legal and Privacy

Privacy Policy - PPD
A.N.P.C.
A.N.P.C - SAL

Mobirise Website Builder
Mobirise Website Builder

© Copyright  2019-2026 adaptive.run- All Rights Reserved