Set up HTTPS ingress in Azure Container Apps

Azure Container Apps allows you to expose your container app to the public web by enabling ingress. When you enable ingress, you do not need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTPS requests.

With ingress enabled, your container app features the following characteristics:

  • Supports TLS termination
  • Supports HTTP/1.1 and HTTP/2
  • Supports WebSocket and gRPC
  • HTTPS endpoints always use TLS 1.2, terminated at the ingress point
  • Endpoints always expose ports 80 (for HTTP) and 443 (for HTTPS).
    • By default, HTTP requests to port 80 are automatically redirected to HTTPS on 443.
  • Request timeout is 240 seconds.

Configuration

Ingress is an application-wide setting. Changes to ingress settings apply to all revisions simultaneously, and do not generate new revisions.

The ingress configuration section has the following form:

{
  ...
  "configuration": {
      "ingress": {
          "external": true,
          "targetPort": 80,
          "transport": auto
      }
  }
}

The following settings are available when configuring ingress:

Property Description Values Required
external The ingress IP and fully qualified domain name (FQDN) can either be accessible externally from the internet or a VNET, or internally within the app environment only. true for external visibility from the internet or a VNET, false for internal visibility within app environment only (default) Yes
targetPort The port your container listens to for incoming requests. Set this value to the port number that your container uses. Your application ingress endpoint is always exposed on port 443. Yes
transport You can use either HTTP/1.1 or HTTP/2, or you can set it to automatically detect the transport type. http for HTTP/1, http2 for HTTP/2, auto to automatically detect the transport type (default) No
allowInsecure Allows insecure traffic to your container app. false (default), true

If set to true, HTTP requests to port 80 are not automatically redirected to port 443 using HTTPS, allowing insecure connections.
No

Note

To disable ingress for your application, you can omit the ingress configuration property entirely.

IP addresses and domain names

With ingress enabled, your application is assigned a fully qualified domain name (FQDN). The domain name takes the following forms:

Ingress visibility setting Fully qualified domain name
External <APP_NAME>.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io
Internal <APP_NAME>.internal.<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io

Your Container Apps environment has a single public IP address for applications with external ingress visibility, and a single internal IP address for applications with internal ingress visibility. Therefore, all applications within a Container Apps environment with external ingress visibility share a single public IP address. Similarly, all applications within a Container Apps environment with internal ingress visibility share a single internal IP address. HTTP traffic is routed to individual applications based on the FQDN in the host header.

You can get access to the environment's unique identifier by querying the environment settings.

Get fully qualified domain name

The az containerapp show command returns the fully qualified domain name of a container app.

az containerapp show \
  --resource-group <RESOURCE_GROUP_NAME> \
  --name <CONTAINER_APP_NAME> \
  --query properties.configuration.ingress.fqdn

In this example, replace the placeholders surrounded by <> with your values.

The value returned from this command resembles a domain name like the following example:

myapp.happyhill-70162bb9.canadacentral.azurecontainerapps.io