Access an app in Azure Spring Apps in a virtual network

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps.

This article explains how to access an endpoint for your application in a private network.

When you assign an endpoint on an application in an Azure Spring Apps service instance deployed in your virtual network, the endpoint uses a private fully qualified domain name (FQDN). The domain is only accessible in the private network. Apps and services use the application endpoint. They include the Test Endpoint described in the View apps and deployments section of Set up a staging environment in Azure Spring Apps. Log streaming, described in Stream Azure Spring Apps app logs in real-time, also works only within the private network.

The following two options are available to make the endpoint you assigned accessible:

  • Create your own private Domain Name Service (DNS) zone and link it to Azure Spring Apps. This method is highly recommended as Azure Spring Apps automatically links the DNS zone with your virtual network and manages DNS record for your application's endpoint.

  • Create your own private DNS zone and manually manage the virtual network link and DNS records, following instructions for locating the Load Balancer (LB) IP address of your Azure Spring Apps service instance.

Prerequisites

  • An Azure subscription. If you don't have a subscription, create a Trial before you begin.
  • (Optional) Azure CLI version 2.45.0 or higher.
  • An existing application in an Azure Spring Apps service instance deployed to a virtual network. For more information, see Deploy Azure Spring Apps in a virtual network.

Create a private DNS zone

Use the following steps to create a private DNS zone for an application in the private network:

  1. Open the Azure portal. Using the search box, search for Private DNS zones. Select Private DNS zones from the search results.

  2. On the Private DNS zones page, select Add.

  3. Fill out the form on the Create Private DNS zone page. For Name, enter private.microservices.azure.cn.

  4. Select Review + Create.

  5. Select Create.

It might take a few minutes to create the zone.

Configure your private DNS zone to automatically manage endpoints

After creating a private DNS zone, you can use Azure Spring Apps to manage your private DNS zones. This approach simplifies the process of handling virtual network links and DNS records. This approach is especially useful in environments with multiple instances within a single virtual network or in environments that use virtual network peerings. Azure Spring Apps automates the management of virtual network links and the dynamic addition or removal of DNS "A" records as endpoints are assigned or unassigned.

Note

Azure Spring Apps doesn't automatically manage endpoints assigned before the addition of the private DNS zone. To enable DNS record management for these endpoints, unassign and then reassign the endpoints.

Grant permission to the private DNS zone

Use the following steps to grant permission:

  1. Select the private DNS zone resource you created - for example, private.microservices.azure.cn.

  2. Select Access control (IAM), and then select Add > Add role assignment.

    Screenshot of the Azure portal Access Control (IAM) page that shows the Check access tab with the Add role assignment button highlighted.

  3. Assign the Private DNS Zone Contributor role to the Azure Spring Apps Resource Provider. For more information, see Assign Azure roles using the Azure portal.

    Note

    If you don't find Azure Spring Apps Resource Provider, search for Azure Spring Cloud Resource Provider.

    Screenshot of the Azure portal that shows the Access Control (IAM) page, with the Add Role Assignment pane open and search results displaying the Azure Spring Apps Resource Provider.

To link the private DNS zone with your Azure Spring Apps service instance, use the Azure CLI. This step involves specifying your resource group, the Azure Spring Apps instance name, and the resource ID of the private DNS zone.

Use the following command to configure the private DNS zone with Azure Spring Apps. This configuration enables Azure Spring Apps to automatically create a virtual network link in the private DNS zone and manage the addition or removal of DNS "A" records as endpoints are assigned or unassigned.

az spring private-dns-zone add \
    --resource-group $RESOURCE_GROUP \
    --service $AZURE_SPRING_APPS_INSTANCE_NAME \
    --zone-id $PRIVATE_DNS_ZONE_RESOURCE_ID

If you wish to unlink your Azure Spring Apps instance from the private DNS zone and stop the automatic management of DNS "A" records, you can clean the configuration. Use the following command to clean the private DNS zone configured with Azure Spring Apps:

az spring private-dns-zone clean \
    --resource-group $RESOURCE_GROUP \
    --service $AZURE_SPRING_APPS_INSTANCE_NAME

Configure your private DNS zone manually

If you prefer to have full control over your private DNS zone, the following sections show you how to manually configure it.

Find the IP address for your application

Use the following steps to find the IP address for your application:

  1. Go to the Azure Spring Apps service Networking page.

  2. Select the Vnet injection tab.

  3. In the General info section, find Endpoint and copy the IP Address value. The example in the following screenshot uses the IP address 10.0.1.6:

    Screenshot of the Azure portal that shows the Vnet injection Endpoint information.

Add a DNS for the IP address

If you have your own DNS solution for your virtual network, like Active Directory Domain Controller, Infoblox, or another, you need to point the domain *.private.microservices.azure.cn to the IP address. Otherwise, use the following instructions to create an Azure Private DNS Zone in your subscription to translate/resolve the private FQDN to its IP address.

Note

If you're using Microsoft Azure operated by 21Vianet, be sure to replace private.microservices.azure.cn with private.microservices.azure.cn in this article. For more information, see the Check Endpoints in Azure section of the Microsoft Azure operated by 21Vianet developer guide.

Create the DNS record

You must create an "A" type record in the private DNS zone.

Use the following steps to use the private DNS zone to translate/resolve DNS:

  1. Select the private DNS zone resource you created - for example, private.microservices.azure.cn.

  2. Select Record set.

  3. In Add record set, enter or select the following information:

    Setting Value
    Name Enter *.
    Type Select A.
    TTL Enter 1.
    TTL unit Select Hours.
    IP address Enter the IP address. The following screenshot uses the IP address 10.1.0.7.

    Screenshot of the Azure portal that shows the Add record set page.

  4. Select OK.

To link the private DNS zone to the virtual network, you need to create a virtual network link.

Use the following steps to link the private DNS zone you created to the virtual network holding your Azure Spring Apps service:

  1. Select the private DNS zone resource you created - for example, private.microservices.azure.cn.

  2. Select Virtual network links, and then select Add.

  3. For Link name, enter azure-spring-apps-dns-link.

  4. For Virtual network, select the virtual network you created previously.

    Screenshot of the Azure portal that shows the Add virtual network link page.

  5. Select OK.

Assign a private FQDN for your application

After you configure your Private DNS Zone and deploy Azure Spring Apps in a virtual network, you can assign a private FQDN for your application. For more information, see Deploy Azure Spring Apps in a virtual network.

Use the following steps to assign a private FQDN:

  1. Select the Azure Spring Apps service instance deployed in your virtual network, and open the Apps tab.

  2. Select the application to open the Overview page.

  3. Select Assign Endpoint to assign a private FQDN to your application. Assigning an FQDN can take a few minutes.

    Screenshot of the Azure portal that shows the Overview page with Assign endpoint highlighted.

  4. The assigned private FQDN (labeled URL) is now available. You can only access the URL within the private network, but not on the internet.

Access the application's private FQDN

After the assignment, you can access the application's private FQDN in the private network. For example, you can create a jumpbox machine in the same virtual network or in a peered virtual network. Then, on that jumpbox or virtual machine, you can access the private FQDN.

Screenshot of the sample application in a browser window with the private FQDN highlighted in the URL.

Clean up resources

If you plan to continue working with subsequent articles, you might want to leave these resources in place. When you no longer need them, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using the Azure CLI, use the following command:

az group delete --name $RESOURCE_GROUP

Next steps