Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
internal DNS zone for Container Apps is not being injected into my VNet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 34%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
DT
0
Reputation points
Hi there, Azure Container Apps Environments deployed with internal ingress are not injecting the required internal DNS zone into the VNet. As a result, no internal FQDNs resolve from any VM inside the same VNet, even though the environment and container apps deploy successfully and show internal ingress endpoints in the portal.
This issue persists across multiple new environments, multiple new subnets with no custom networking.
Would greatly appreciate help here.
Some additional details:
- Container Apps Environment created with:
- Public access disabled
- VNet integration enabled
- Internal load balancer assigned (private VIP)
- Container App created with:
- Ingress enabled
- Traffic limited to Container Apps Environment
- Internal FQDN generated, e.g.:
https://mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.io/
- From a VM in the same VNet using Azure DNS (168.63.129.16), DNS resolution fails: nslookup internal.eastus2.azurecontainerapps.io → NXDOMAIN The root zone (
internal.eastus2.azurecontainerapps.io) does not exist, which indicates the internal DNS zone was never injected into the VNet.
Azure Container Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator2026-03-12T18:25:07.7633333+00:00 Hi @DT ,
Thanks for reaching out to Microsoft Q&A.
It looks like you’ve done everything on the Container Apps side, but DNS for your internal FQDN isn’t magically “injected” into your VNet, you have to wire up that private DNS yourself or forward queries to Azure’s recursive resolver.
Follow below steps to get your
*.internal.<env>.<region>.azurecontainerapps.ionames to resolve from your VMs:- Verify your environment is really deployed with internal ingress and in the VNet -Run
• Confirm you see a non-nullaz containerapp env show \ -n <YourEnvName> \ -g <YourEnvRG> \ --query "{subnet:infrastructureSubnetId, dnsSuffix:customDomainConfiguration.customDomainLabel}"infrastructureSubnetIdand your DNS suffix looks like`mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.io` - Get the internal (ILB) IP address of your environment • Look in the MC_… resource group that Azure Container Apps created—find the Load Balancer resource and note its private frontend IP
- Create an Azure Private DNS zone for your default domain • In the Portal or via CLI, make a Private DNS zone named exactly
<UNIQUE_ENV_ID>.internal.<REGION>.azurecontainerapps.io(e.g.bravewater-d9e2aebd.eastus2.internal.eastus2.azurecontainerapps.io– check your actual suffix!) • In that zone, add an “A” record: • Name:*(or your app-specific host if you prefer) • IP address: the ILB frontend IP from step 2 - Link that DNS zone to your VNet • In the Private DNS zone’s “Virtual network links” blade, link it to the same VNet where your VMs live (and where the Container Apps environment is deployed)
- Check your VM’s DNS settings • If you’re using Azure-provided DNS, you’re done—just nslookup your FQDN and you should get the ILB IP • If you have a custom DNS server: make sure it forwards unresolved queries to Azure’s recursive resolver at 168.63.129.16 (or allow the AzurePlatformDNS service tag through your firewall/NSG)
Once your zone is linked and the record is in place, any VM in that VNet asking for
nslookup mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.iowill get back your private VIP and be able to route traffic to your container app via the internal load balancer.
Hope this helps!
References:
Deploy a Container Apps environment to a VNet
Securing a custom VNet in Azure Container Apps (NSG rules)
Private endpoints and DNS for virtual networks in Azure Container Apps environments
- Verify your environment is really deployed with internal ingress and in the VNet -Run
Sign in to comment
Sign in to answer