I have an Azure Application Gateway in a specific vnet, which is publicly available. I also have an Azure Container Apps environment in a different VNET with multiple containers in it. I must expose some of these containers to the outside world using the Application gateway. There is a working VNET peering between the 2 vnets. The application gateway has a backend pool connected to the IP of the internal load balancer of the Azure Container Apps Environment. The backend pool connection to this load balancer is unhealthy. It states that it cannot connect and hints that there might be a NSG/UDR or firewall issue, but as far as I can see these are not used. The load balancer of the ACA is automaticly generated and in a managed resource group, it has an health probe at port 32172 at the "healthz" path. I tried to use this as a custom probe for the backend settings on the application gateway this does not work. Does anyone has any ideas it this construction is even possible and how this should work if it is.
This setup is already documented in the below article: Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft Learn
Networking in Azure Container Apps environment | Microsoft Learn configure Azure Private DNS zone for the container apps domain and link that zone to the Vnet with which the container apps is integrated And add private link to the App gateway to establish a secured connection to internal-only container app environments allowing the Application Gateway to communicate with the Container App on the backend through the virtual network.
Following the above document, Here in this setup, I have allowed arkocontainerappr1 located in a different vnet to connect to the application gateway using public IP, Peered the two vnets
If NSG is giving blocker, then create a custom rule and proceed
and added private link to the App gateway to establish a secured connection to internal-only container app environments allowing the Application Gateway to communicate with the Container App on the backend through the virtual network.