Trouble shoot secure routing from a container app service from 1 VNET in a closed resource group to another app service in closed VNET in the same subscription that are both peered to the same connectivity hub, with custom firewall and DNS configurations.

Question

Trouble shoot secure routing from a container app service from 1 VNET in a closed resource group to another app service in closed VNET in the same subscription that are both peered to the same connectivity hub, with custom firewall and DNS configurations.

Aidan Rundell 0

Need help troubleshooting secure routing from a container app service from 1 VNET in a closed resource group to another app service in a different closed VNET both within the same subscription that are peered to a single connectivity hub, with custom firewall and DNS configurations connecting them all.

The firewall connectivity has been setup by our MSP and the calls are resolving (DNS records are resolving to an IP address) but how can I see the traffic movements from the container through to the firewall and where the traffic is heading?

Vimal Lalani 1,735 Reputation points Microsoft External Staff Moderator

2025-09-24T01:55:35.7866667+00:00
Hi Aidan Rundell

Could you please confirm what type of App Services you are using (for example, Azure Container Apps or Azure Web Apps and pricing tiers)?

Outbound IPs – For App Service, do they know which outbound IPs are being used, and are those allowed on the firewall?

Are firewall diagnostics/logs enabled, and do they see dropped traffic corresponding to the failed attempts?

When the connection fails, do you see any specific error messages or codes that we can use to narrow down the issue?

Could you clarify the exact behavior you are expecting from the firewall configuration on both sides?

For troubleshooting purposes, would it be possible to temporarily allow all traffic (broad rule) and then re-apply restrictions as needed, to help isolate whether Network Security Groups are contributing to the issue?

As part of diagnostics, could you check whether there are broader connectivity issues within the VNets? For example, can you reach other resources in the same VNet to confirm overall connectivity?

App Service VNet integration mainly provides outbound connectivity. For inbound access, a Private Endpoint is required. Similarly, Container Apps use environment-subnet integration and can also leverage Private Endpoints. Could you validate that the which model is being used in your environment?

Thanks

Vimal Lalani
Ravi Varma Mudduluru 1,790 Reputation points Microsoft External Staff Moderator

2025-09-25T19:36:33.68+00:00

Hello @Aidan Rundell

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

1 answer

Your answer

Vimal Lalani 1,735 Reputation points Microsoft External Staff Moderator

2025-09-24T01:55:35.7866667+00:00

Hi Aidan Rundell

Could you please confirm what type of App Services you are using (for example, Azure Container Apps or Azure Web Apps and pricing tiers)?

Outbound IPs – For App Service, do they know which outbound IPs are being used, and are those allowed on the firewall?

Are firewall diagnostics/logs enabled, and do they see dropped traffic corresponding to the failed attempts?

When the connection fails, do you see any specific error messages or codes that we can use to narrow down the issue?

Could you clarify the exact behavior you are expecting from the firewall configuration on both sides?

For troubleshooting purposes, would it be possible to temporarily allow all traffic (broad rule) and then re-apply restrictions as needed, to help isolate whether Network Security Groups are contributing to the issue?

As part of diagnostics, could you check whether there are broader connectivity issues within the VNets? For example, can you reach other resources in the same VNet to confirm overall connectivity?

App Service VNet integration mainly provides outbound connectivity. For inbound access, a Private Endpoint is required. Similarly, Container Apps use environment-subnet integration and can also leverage Private Endpoints. Could you validate that the which model is being used in your environment?

Thanks

Vimal Lalani
Ravi Varma Mudduluru 1,790 Reputation points Microsoft External Staff Moderator

2025-09-25T19:36:33.68+00:00

Hello @Aidan Rundell

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Answer 1

Hi Aidan Rundell

Thank you for reaching out to the Microsoft Q&A forum.

To see the traffic movements from the container through to the firewall and where the traffic is heading?

You can...

Enable Virtual Network Flow Logs to monitor traffic at the VNET level:

Logs include source/destination IPs, ports, protocols, and flow states.
You can export logs to SIEM tools or visualize them in dashboards.
Flow logs help identify blocked traffic, encryption status, and throughput

Reference link to follow:https://free.blessedness.top/en-us/azure/network-watcher/vnet-flow-logs-overview?tabs=Americas

Ensure your container app subnet has a UDR that routes all outbound traffic to the firewall:

Address prefix: 0.0.0.0/0
Next hop type: Virtual appliance
Next hop address: Firewall’s private IP

Reference link to follow:https://free.blessedness.top/en-us/azure/container-apps/use-azure-firewall

Configure Application Rules or Network Rules in Azure Firewall:

Allow traffic to required FQDNs (e.g., mcr.microsoft.com, *.blob.core.windows.net) or service tags (e.g., AzureContainerRegistry, AzureKeyVault)

Verify with curl

curl -s https://mcr.microsoft.com

If allowed, you’ll get a response.

If blocked, no response indicates firewall enforcement is working.

Enable Monitoring and Diagnostics

Go to Azure Firewall → Logs → Application rule log data.
Enable AzureFirewallApplicationRule logging.
Use these logs to trace outbound requests and verify rule hits

Reference link to follow: https://free.blessedness.top/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall

If you find this comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.

Kindly let us know if you have any additional questions.

Thanks

Share via

Trouble shoot secure routing from a container app service from 1 VNET in a closed resource group to another app service in closed VNET in the same subscription that are both peered to the same connectivity hub, with custom firewall and DNS configurations.

1 answer

Your answer