Trouble shoot secure routing from a container app service from 1 VNET in a closed resource group to another app service in closed VNET in the same subscription that are both peered to the same connectivity hub, with custom firewall and DNS configurations.

Aidan Rundell 0 Reputation points

Need help troubleshooting secure routing from a container app service from 1 VNET in a closed resource group to another app service in a different closed VNET both within the same subscription that are peered to a single connectivity hub, with custom firewall and DNS configurations connecting them all.

The firewall connectivity has been setup by our MSP and the calls are resolving (DNS records are resolving to an IP address) but how can I see the traffic movements from the container through to the firewall and where the traffic is heading?

  1. Anonymous

    Hi Aidan Rundell

    1. Could you please confirm what type of App Services you are using (for example, Azure Container Apps or Azure Web Apps and pricing tiers)?
    2. Outbound IPs – For App Service, do they know which outbound IPs are being used, and are those allowed on the firewall?
    3. Are firewall diagnostics/logs enabled, and do they see dropped traffic corresponding to the failed attempts?
    4. When the connection fails, do you see any specific error messages or codes that we can use to narrow down the issue?
    5. Could you clarify the exact behavior you are expecting from the firewall configuration on both sides?
    6. For troubleshooting purposes, would it be possible to temporarily allow all traffic (broad rule) and then re-apply restrictions as needed, to help isolate whether Network Security Groups are contributing to the issue?
    7. As part of diagnostics, could you check whether there are broader connectivity issues within the VNets? For example, can you reach other resources in the same VNet to confirm overall connectivity?
    8. App Service VNet integration mainly provides outbound connectivity. For inbound access, a Private Endpoint is required. Similarly, Container Apps use environment-subnet integration and can also leverage Private Endpoints. Could you validate that the which model is being used in your environment?

    Thanks

    Vimal Lalani

  2. Ravi Varma Mudduluru 12,370 Reputation points Microsoft External Staff Moderator

    Hello @Aidan Rundell

    We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Sign in to comment

1 answer

  1. Anonymous

    Hi Aidan Rundell

    Thank you for reaching out to the Microsoft Q&A forum.

    To see the traffic movements from the container through to the firewall and where the traffic is heading?

    You can...

    Enable Virtual Network Flow Logs to monitor traffic at the VNET level:

    • Logs include source/destination IPs, ports, protocols, and flow states.
    • You can export logs to SIEM tools or visualize them in dashboards.
    • Flow logs help identify blocked traffic, encryption status, and throughput

    Reference link to follow:https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview?tabs=Americas

    Ensure your container app subnet has a UDR that routes all outbound traffic to the firewall:

    • Address prefix: 0.0.0.0/0
    • Next hop type: Virtual appliance
    • Next hop address: Firewall’s private IP

    Reference link to follow:https://learn.microsoft.com/en-us/azure/container-apps/use-azure-firewall

    Configure Application Rules or Network Rules in Azure Firewall:

    Allow traffic to required FQDNs (e.g., mcr.microsoft.com, *.blob.core.windows.net) or service tags (e.g., AzureContainerRegistry, AzureKeyVault)

    Verify with curl

    curl -s https://mcr.microsoft.com

    If allowed, you’ll get a response.

    If blocked, no response indicates firewall enforcement is working.

    Enable Monitoring and Diagnostics

    • Go to Azure Firewall → Logs → Application rule log data.
    • Enable AzureFirewallApplicationRule logging.
    • Use these logs to trace outbound requests and verify rule hits

    Reference link to follow: https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall

    If you find this comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer