Azure Container Apps (ACA) and Cloudflare
In this article, we will configure and use Cloudflare to protect our client-facing web applications running on Azure Container Apps.
You will need the following:
- Domain name
- Web Application running on ACA
- Cloudflare account
1. Get your web application up and running
Running your containerized web applications in ACA is very straightforward and flexible. If you are new to ACA, a great starting point is following this quickstart:
https://learn.microsoft.com/en-us/azure/container-apps/quickstart-portal
Once your web app is up and running navigate to the Custom Domains page, and click on the Add button.
Here we will enter our Domain name and take note of the Domain validation records.
2. Add your website to Cloudflare
After adding your website to Cloudflare navigate to the SSL/TLS page. To enable end-to-end encryption from the available options, we will select the Full (strict) mode.
Once the Full SSL/TLS encryption mode is enabled navigate to the Origin Certificate page and click on the Create Certificate button. Here we will create the trusted digital certificate which will be used in Azure.
Leave the default settings.
- Generate private key and CSR with Cloudflare
- Private Key type RSA (2048)
- List of hostnames — the apex of your domain (example.com) and a wildcard (*.example.com).
After clicking on Create you will see a page with your Origin Certificate and Private Key generated.
Save this on your local machine. Save the Origin Certificate with the extension .pem and the Private Key with the extension .key
Next, we will protect our certificate with a password and generate .pfx by running the openssl pkcs12 command.
openssl pkcs12 -inkey cloudflare.key -in cloudflare.pem -export -out cloudflare.pfx
The .pfx file we generated will be used in the Azure Container Apps portal to finalise the setup, but first, we will update the DNS records in Cloudflare to point to the Azure Container App.
Navigate to the DNS page in Cloudflare and add the A record and the TXT record as instructed in the Domain Validation section in the Azure Container Apps portal. (See -> Image 2: Add a custom domain)
3. Add the custom domain and certificate to ACA
Navigate back to the Azure portal and let's continue where we left off.
After clicking on the Validate button you should see a message that the Validation passed.
If you have selected the Proxy option in the Cloudflare DNS configuration for the A record you will see an Error Status for the A record. You can ignore this status and proceed to the certificate configuration step by clicking on the Next button.
In the next step, you will be prompted with a screen to select a certificate. Since we don’t have any certificates to bind we will click on the Create new link and in the next screen, we will add the .pfx certificate we generated earlier.
After validating the certificate, we will add it.
After completing the steps above we will see our domain in the list of custom domains.
At this point, we are done. Our web app will be reachable by entering our domain in the browser.
If you want to use any other subdomain like www, you can repeat the steps from above, using the same certificate.
Origin Restriction
Azure Container Apps ingress in the scenario above is exposed on Public IP address. This leaves the door open for traffic bypassing Cloudflare. At this moment ACA does not provide advance Access restriction which can be used to prevent the requests bypassing Cloudflare.
To remediate this, you will have to alter your application code to allow only traffic coming from Cloudflare by checking the Origin of the requests.