Expose applications on Azure Spring Apps to the internet from a public network
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps.
This article describes how to expose applications on Azure Spring Apps to the internet from a public network.
You can expose applications to the internet with TLS Termination or end-to-end TLS using Application Gateway. These approaches are described in Expose applications to the internet with TLS Termination at Application Gateway and Expose applications with end-to-end TLS in a virtual network. These approaches work well, but Application Gateway can involve a complicated setup and extra expense.
If you don't want to use Application Gateway for advanced operations, you can expose your applications to the internet with one click using the Azure portal or one command using the Azure CLI. The only extra expense is a standard public IP for one Azure Spring Apps service instance, regardless of how many apps you want to expose.
Prerequisites
- An Azure Spring Apps service instance deployed in a virtual network and an app created in it. For more information, see Deploy Azure Spring Apps in a virtual network.
Assign a public fully qualified domain name (FQDN) for your application in a virtual network injection instance
Use the following steps to assign a public FQDN for your application.
Select the Azure Spring Apps service instance deployed in your virtual network, and then open the Apps tab in the menu on the left.
Select the application to show the Overview page.
Select Assign Public Endpoint to assign a public FQDN to your application. Assigning an FQDN can take a few minutes.
The assigned public FQDN (labeled URL) is now available. It can only be accessed within the public network.
Use a public URL to access your application from both inside and outside the virtual network
You can use a public URL to access your application both inside and outside the virtual network. Follow the steps in Access your application in a private network to bind the domain .private.microservices.azure.cn
to the service runtime Subnet private IP address in your private DNS zone while keeping the Assign Endpoint in a disable state. You can then access the app using the public URL from both inside and outside the virtual network.
Secure traffic to the public endpoint
To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see Tutorial: Filter network traffic with a network security group using the Azure portal. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Note
If you couldn't access your application in a virtual network injection instance from internet after you have assigned a public FQDN, check your network security group first to see whether you have allowed such inbound traffic.