Skip to content

Commit 6e07b18

Browse files
fix: remove Container App IP restrictions, use application-layer proxy control
Container App IP restrictions block the frontend App Service proxy traffic since the CAE is external. Instead, rely on the application- layer approach: the /config endpoint returns same-origin /api URL in WAF mode, so browsers never see the Container App URL. The proxy in frontend_server.py handles all /api/* routing server-side. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 5e0a205 commit 6e07b18

2 files changed

Lines changed: 0 additions & 32 deletions

File tree

infra/main.bicep

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1192,14 +1192,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
11921192
managedIdentities: { userAssignedResourceIds: [userAssignedIdentity.outputs.resourceId] }
11931193
ingressTargetPort: 8000
11941194
ingressExternal: true
1195-
ipSecurityRestrictions: enablePrivateNetworking ? [
1196-
{
1197-
name: 'allow-vnet-only'
1198-
action: 'Allow'
1199-
ipAddressRange: '10.0.0.0/8'
1200-
description: 'Allow VNet traffic only'
1201-
}
1202-
] : []
12031195
activeRevisionsMode: 'Single'
12041196
corsPolicy: {
12051197
allowedOrigins: [
@@ -1408,14 +1400,6 @@ module containerAppMcp 'br/public:avm/res/app/container-app:0.18.1' = {
14081400
managedIdentities: { userAssignedResourceIds: [userAssignedIdentity.outputs.resourceId] }
14091401
ingressTargetPort: 9000
14101402
ingressExternal: true
1411-
ipSecurityRestrictions: enablePrivateNetworking ? [
1412-
{
1413-
name: 'allow-vnet-only'
1414-
action: 'Allow'
1415-
ipAddressRange: '10.0.0.0/8'
1416-
description: 'Allow VNet traffic only'
1417-
}
1418-
] : []
14191403
activeRevisionsMode: 'Single'
14201404
corsPolicy: {
14211405
allowedOrigins: [

infra/main_custom.bicep

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1219,14 +1219,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
12191219
managedIdentities: { userAssignedResourceIds: [userAssignedIdentity.outputs.resourceId] }
12201220
ingressTargetPort: 8000
12211221
ingressExternal: true
1222-
ipSecurityRestrictions: enablePrivateNetworking ? [
1223-
{
1224-
name: 'allow-vnet-only'
1225-
action: 'Allow'
1226-
ipAddressRange: '10.0.0.0/8'
1227-
description: 'Allow VNet traffic only'
1228-
}
1229-
] : []
12301222
activeRevisionsMode: 'Single'
12311223
corsPolicy: {
12321224
allowedOrigins: [
@@ -1450,14 +1442,6 @@ module containerAppMcp 'br/public:avm/res/app/container-app:0.18.1' = {
14501442
managedIdentities: { userAssignedResourceIds: [userAssignedIdentity.outputs.resourceId] }
14511443
ingressTargetPort: 9000
14521444
ingressExternal: true
1453-
ipSecurityRestrictions: enablePrivateNetworking ? [
1454-
{
1455-
name: 'allow-vnet-only'
1456-
action: 'Allow'
1457-
ipAddressRange: '10.0.0.0/8'
1458-
description: 'Allow VNet traffic only'
1459-
}
1460-
] : []
14611445
activeRevisionsMode: 'Single'
14621446
corsPolicy: {
14631447
allowedOrigins: [

0 commit comments

Comments
 (0)