IMPORTANT: Breaking change for Private Link + IP Restrictions

[simonjj]

Hello all!

We're rolling out a fix that changes how client IPs are resolved in Private Link-enabled Container Apps environments that use IP ingress restrictions.

TL;DR

Until now, if you had Private Link enabled, your app was seeing our internal proxy's IP instead of the real client IP. This meant IP restriction rules were matching against proxy IPs, and many of you had to add infra subnet ranges to your allowlists as a workaround.

We've fixed this — your app will now see the actual client IP.

This also means X-Forwarded-For will now correctly show the real client IP.

Action needed before we deploy

If you're using Private Link + IP restrictions, make sure your real client IPs are in the allowlist before this rolls out. Otherwise, traffic that used to get through (via the proxy IP match) will start getting blocked.

Here's what to do:

• Add your actual client IPs to the allowlist
• Keep the infra subnet ranges if you already have them — no need to remove, they won't cause issues
• Test access after updating

What does this affect?

Only environments where all three of these are true:

1. Private Link is enabled
2. IP restrictions are configured
3. The allowlist has infra subnet ranges but not real client IPs

Post-Change Actions

• After the change has been rolled out, we will notify via the comments, and you can remove the old gateway addresses since they will lose their purpose.

Docs

• IP ingress restrictions
• Ingress overview

Drop a comment if you have questions!

[BlackRider97]

How to Identify Impacted Resources?

// Run in Azure Resource Graph Explorer:
// https://portal.azure.com/#view/HubsExtension/ArgQueryBlade
// ============================================================================

// Step 1: Find managed environments that have Private Link enabled
resources
| where type =~ "microsoft.network/privateendpoints"
| mv-expand conn = properties.privateLinkServiceConnections
| extend targetId = tolower(tostring(conn.properties.privateLinkServiceId))
| where targetId contains "microsoft.app/managedenvironments"
| distinct targetId
| project privateLinkEnvId = targetId
// Step 2: Join with Container Apps that have IP security restrictions
| join kind=inner (
    resources
    | where type =~ "microsoft.app/containerapps"
    | extend ingress = properties.configuration.ingress
    | where isnotempty(ingress)
    | extend ipRestrictions = ingress.ipSecurityRestrictions
    | where isnotempty(ipRestrictions) and array_length(ipRestrictions) > 0
    | extend envId = tolower(tostring(properties.managedEnvironmentId))
    | project
        appId = id,
        appName = name,
        resourceGroup,
        subscriptionId,
        envId,
        ipRestrictions
) on $left.privateLinkEnvId == $right.envId
// Step 3: Expand IP restriction rules so you can review each entry
| mv-expand rule = ipRestrictions
| extend
    ruleName = tostring(rule.name),
    ruleAction = tostring(rule.action),
    ipRange = tostring(rule.ipAddressRange)
| project
    appName,
    appId,
    resourceGroup,
    subscriptionId,
    environmentId = privateLinkEnvId,
    ruleName,
    ruleAction,
    ipRange
| order by appName asc, ruleName asc

[BlackRider97]

For additional context, these are the ACA infrastructure subnets that customers might have temporarily allowed in their ingress rules as a workaround to enable Private Endpoint traffic:

• 100.100.0.0/17
• 100.100.128.0/19
• 100.100.160.0/19
• 100.100.192.0/19

Customers may have explicitly permitted these CIDR ranges in their NSG or firewall rules to allow Private Endpoint connectivity while troubleshooting the issue.

Sharing this here for better visibility and to help others who might be investigating similar behavior.

Reference:
Configuring virtual networks Azure Container Apps environments | Microsoft Learn