Private endpoint support for container apps

[pamelafox]

Purpose

This PR adds private networking support for Azure Container Apps, plus a P2S VPN Gateway with Azure Private DNS resolver for local development inside the virtual network.

Does this introduce a breaking change?

When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.

[ ] Yes
[X] No

Does this require changes to learn.microsoft.com docs?

This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.

[ ] Yes
[X] No

Type of change

[ ] Bugfix
[X] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

Code quality checklist

See CONTRIBUTING.md for more details.

• The current tests all pass (python -m pytest).
• I added tests that prove my fix is effective or that my feature works
• I ran python -m pytest --cov to verify 100% coverage of added lines
• I ran python -m mypy to check for type errors
• I either used the pre-commit hooks or ran ruff and black manually on my code.

[pamelafox]

Blocking: Azure/bicep-registry-modules#4387

[faaraan-farid-kazi]

Request to Make Existing Container Private Post Deployment

Hi Pamela,

We are currently facing an issue regarding the privacy of our deployed container. Our organization requires that this container be private due to internal policy and data sensitivity concerns.

Current Status:

• The application is already deployed and actively used by approximately 1,200 users.
• A significant amount of data has already been uploaded and is in use.

Requirement:

We need a solution that allows us to make the existing container private without disrupting the current deployment or user access.

Open Questions:

• Is there a way to retroactively apply privacy settings to the existing container?
• Would migrating to App Services provide a more secure or manageable solution for our use case?

We would appreciate guidance on the best approach to achieve this while minimizing impact on our users and data.

Thanks,
Faaraan

[github-actions]

Check Broken URLs

We have automatically detected the following broken URLs in your files. Review and fix the paths to resolve this issue.

Check the file paths and associated broken URLs inside them.
For more details, check our Contributing Guide.

File Full Path	Issues
docs/deploy_private.md	# Link Line Number 1 https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vpn-client-install 82

[github-actions]

Check Broken URLs

We have automatically detected the following broken URLs in your files. Review and fix the paths to resolve this issue.

Check the file paths and associated broken URLs inside them.
For more details, check our Contributing Guide.

File Full Path	Issues
docs/deploy_private.md	# Link Line Number 1 https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vpn-client-install 82

[Copilot]

Pull Request Overview

This PR adds private networking support for Azure Container Apps, enabling deployment with private endpoints and optional VPN gateway configuration for secure access. The changes primarily focus on extending the existing private endpoint functionality from App Service to Container Apps and adding VPN gateway support for local development access.

• Extends private endpoint support to Container Apps deployment target
• Adds P2S VPN Gateway with Azure Private DNS resolver for secure local development access
• Refactors network isolation infrastructure to support both App Service and Container Apps with consistent subnet management

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
infra/private-endpoints.bicep	Updates parameter naming from subnet name to subnet ID and improves DNS zone naming
infra/network-isolation.bicep	Major refactor to support Container Apps with NSGs, VPN gateway, and DNS resolver
infra/main.parameters.json	Adds VPN gateway parameter and removes deprecated Container Apps workload profile
infra/main.bicep	Extends private endpoint logic to Container Apps and adds VPN gateway configuration
infra/core/storage/storage-account.bicep	Minor syntax update using null coalescing operator
infra/core/host/container-registry.bicep	New module for Container Registry with VNet integration support
infra/core/host/container-apps.bicep	Simplified Container Apps module with better parameter handling
infra/core/host/container-apps-environment.bicep	New dedicated module for Container Apps environment configuration
infra/core/host/container-app.bicep	Removes deprecated workload profile parameter
infra/core/host/container-app-upsert.bicep	Removes deprecated workload profile parameter
infra/abbreviations.json	Adds abbreviation for private DNS resolver
docs/deploy_private.md	Updated deployment instructions for VPN gateway usage
app/backend/prepdocs.py	Adds connectivity check for search service with VPN guidance

Comments suppressed due to low confidence (1)

infra/core/host/container-apps-environment.bicep:13

• The API version '2025-02-02-preview' appears to be from the future. As of my knowledge cutoff in January 2025, this version may not exist. Consider using a stable API version like '2024-03-01' or verify that this preview version is available.

resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2025-02-02-preview' = {

[Copilot]

This line has inconsistent indentation - it appears to have extra leading spaces compared to the previous output statement.

Suggested change

	output AZURE_VPN_CONFIG_DOWNLOAD_LINK string = useVpnGateway ? 'https://portal.azure.com/#@${tenant().tenantId}/resource/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup.name}/providers/Microsoft.Network/virtualNetworkGateways/${isolation.outputs.virtualNetworkGatewayName}/pointtositeconfiguration' : ''
	output AZURE_VPN_CONFIG_DOWNLOAD_LINK string = useVpnGateway ? 'https://portal.azure.com/#@${tenant().tenantId}/resource/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup.name}/providers/Microsoft.Network/virtualNetworkGateways/${isolation.outputs.virtualNetworkGatewayName}/pointtositeconfiguration' : ''

[mattgotteiner]

virtual network gateway resource id

[mattgotteiner]

Nice :)

[mattgotteiner]

Thanks for your efforts here