Skip to content

Commit 7e8dd36

Browse files
fix: route post-deploy API calls through frontend proxy in WAF mode
When Container App ingress is internal (WAF/private networking), the post-deployment scripts cannot reach the backend API directly from the developer's machine. Detect internal ingress by checking the Container App's external property, and route API calls through the frontend App Service proxy (which is public and forwards /api/* to the backend over the VNet). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent a35f6da commit 7e8dd36

2 files changed

Lines changed: 34 additions & 0 deletions

File tree

infra/scripts/Selecting-Team-Config-And-Data.ps1

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -445,6 +445,23 @@ do {
445445
}
446446
} while (-not $useCaseValid)
447447

448+
# WAF/Private Networking: If the Container App ingress is internal, the backendUrl
449+
# is not reachable from the developer's machine. Route through the frontend App Service
450+
# proxy instead, which is public and forwards /api/* to the private backend over VNet.
451+
$solutionSuffix = az group show --name $ResourceGroup --query "tags.SolutionSuffix" -o tsv 2>$null
452+
if ($solutionSuffix) {
453+
$containerAppName = "ca-$solutionSuffix"
454+
$isInternal = az containerapp show --name $containerAppName --resource-group $ResourceGroup `
455+
--query "properties.configuration.ingress.external" -o tsv 2>$null
456+
if ($isInternal -eq "false") {
457+
$frontendHostname = "app-$solutionSuffix"
458+
$frontendUrl = "https://${frontendHostname}.azurewebsites.net"
459+
Write-Host "Private networking detected: Container App ingress is internal."
460+
Write-Host "Routing API calls through frontend App Service: $frontendUrl"
461+
$script:backendUrl = $frontendUrl
462+
}
463+
}
464+
448465
Write-Host ""
449466
Write-Host "==============================================="
450467
Write-Host "Values to be used:"

infra/scripts/selecting_team_config_and_data.sh

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -453,6 +453,23 @@ while [[ "$useCaseValid" != true ]]; do
453453
fi
454454
done
455455

456+
# WAF/Private Networking: If the Container App ingress is internal, the backendUrl
457+
# is not reachable from the developer's machine. Route through the frontend App Service
458+
# proxy instead, which is public and forwards /api/* to the private backend over VNet.
459+
solutionSuffix=$(az group show --name "$ResourceGroup" --query "tags.SolutionSuffix" -o tsv 2>/dev/null)
460+
if [[ -n "$solutionSuffix" ]]; then
461+
containerAppName="ca-${solutionSuffix}"
462+
isExternal=$(az containerapp show --name "$containerAppName" --resource-group "$ResourceGroup" \
463+
--query "properties.configuration.ingress.external" -o tsv 2>/dev/null)
464+
if [[ "$isExternal" == "false" ]]; then
465+
frontendHostname="app-${solutionSuffix}"
466+
frontendUrl="https://${frontendHostname}.azurewebsites.net"
467+
echo "Private networking detected: Container App ingress is internal."
468+
echo "Routing API calls through frontend App Service: $frontendUrl"
469+
backendUrl="$frontendUrl"
470+
fi
471+
fi
472+
456473
echo ""
457474
echo "==============================================="
458475
echo "Values to be used:"

0 commit comments

Comments
 (0)