How to restrict access for an existing Azure Container App to only be accessible via Azure VPN Gateway (Point-to-Site)

Question

How to restrict access for an existing Azure Container App to only be accessible via Azure VPN Gateway (Point-to-Site)

Abdelrhman Goma 55

We have over 30 Azure Container Apps in our infrastructure, all currently accessible over the public internet. Our goal is to restrict access so that these Container Apps are only reachable through our Azure VPN Gateway (Point-to-Site configuration), without having to recreate or redeploy the existing containers.

Is there a way to achieve this

Accepted answer

0 additional answers

Your answer

Answer 1

Sai Prabhu Naveen Parimi 3,470 Microsoft External Staff Moderator

@Abdelrhman Goma

Unfortunately, Microsoft doesn’t provide an in-place way to change the environment type. However, it’s not a full rebuild — you can follow a quick migration:

Create a new internal (VNet) Container Apps environment in the VPN-connected subnet.

Copy configurations and secrets from your existing apps.

Redeploy your container images into the new environment.

Test connectivity via VPN.

Update DNS/routing, then retire the old environment.

This keeps your existing containers intact while moving them to a VPN-only setup.

Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator

2025-08-08T13:55:49.6+00:00
Hello @Abdelrhman Goma

To limit access to your current Azure Container Apps so that only users connecting through Azure VPN Gateway (Point-to-Site) can reach them, you should update the public network access settings. Here’s how you can do this:

Disable Public Network Access: Set public network access to "Disabled" on your container apps to prevent any traffic from the public internet.

Enable Private Endpoints: Once public access is disabled, configure private endpoints. This ensures the apps are accessible only through your Azure Virtual Network (VNet), including the VPN Gateway.

Set Ingress Rules: Adjust ingress settings so that only traffic from within the VNet is accepted, allowing access solely to clients connected via VPN.

Application Gateway & WAF: If you’re looking for more advanced scenarios, consider placing your Container Apps behind an Application Gateway and utilizing its Web Application Firewall (WAF) capabilities for additional security layers.

These steps allow you to restrict access as required without needing to recreate or redeploy your container apps.

References:

Networking in Azure Container Apps environment

Use a private endpoint with an Azure Container Apps environment (azure-portal)

Protect Azure Container Apps with Web Application Firewall on Application Gateway

Hope this helps!
Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator

2025-08-11T09:35:22.1233333+00:00

@Abdelrhman Goma

I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.
Abdelrhman Goma 55 Reputation points

2025-08-11T09:50:50.5666667+00:00

Hello @Sai Prabhu Naveen Parimi

Thanks for the recommendations. I checked my current Azure Container Apps, but I don’t see any option to Disable Public Network Access. I suspect this might be because the Container Apps are deployed in an environment that’s configured as public. I also don’t see the settings for private endpoints or VNet-only ingress in the portal for these resources.

Is this limitation due to the environment type used when the Container Apps were created? If so, would changing it require creating a new environment with VNet integration?
Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator

2025-08-11T10:08:10.6633333+00:00

Hi @Abdelrhman Goma

You’re correct — this behavior is due to the environment type. Once an Azure Container Apps environment is created as public or internal, the type can’t be changed later (Microsoft documentation). That’s why you’re not seeing options for private endpoints or VNet-only ingress in the portal.

The only way to achieve VPN-only access is to deploy your apps into a new internal (VNet-integrated) environment and migrate them over.
Abdelrhman Goma 55 Reputation points

2025-08-11T10:27:36.6466667+00:00

Hi @Sai Prabhu Naveen Parimi

Is there any way to do it easily something Microsoft provide or i need to recreate everything from scratch
Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator

2025-08-12T08:43:15.7433333+00:00

@Abdelrhman Goma

Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions.
Abdelrhman Goma 55 Reputation points

2025-08-12T09:24:50.11+00:00

Hi @Sai Prabhu Naveen Parimi
i can't see Approval on your answer to approve it
Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator

2025-08-12T09:37:28.5+00:00

Hello Abdelrhman Goma,

I updated the comment to an answer. Please refresh and check if you can accept it now. This should assist others in the community looking for similar information. Thank you for your participation.

Share via

How to restrict access for an existing Azure Container App to only be accessible via Azure VPN Gateway (Point-to-Site)

0 additional answers

Your answer