[Network] Deploy an Internal Container Apps Environment - as Private Endpoints?

[raddragan]

https://aspire.dev/integrations/cloud/azure/azure-virtual-network/#complete-example demos an example of a publicly-exposed ACA environment. The "For more information" link mostly describes configuring an Internal ACA environment, but there doesn't appear to be a way to do this in Aspire.

// Configure the Container App Environment to use the VNet.
// WithDelegatedSubnet assigns the subnet to the ACA environment,
// enabling subnet delegation so ACA can inject its infrastructure.
// For more information, see: https://learn.microsoft.com/azure/container-apps/custom-virtual-networks
builder.AddAzureContainerAppEnvironment("env")
    .WithDelegatedSubnet(containerAppsSubnet);

The above code deploys the Container Apps Environment with a public IP address only, without Private Endpoints or IPs on the vnet.

The extension method AzurePrivateEndpointExtensions.AddPrivateEndpoint supports targets of IAzurePrivateEndpointTarget, of which AzureContainerAppEnvironmentResource does not implement. Resources which implement this interface are limited to KeyVault, Sql, and Storage.

    [AspireExport("addPrivateEndpoint", Description = "Adds an Azure Private Endpoint resource to an Azure subnet resource.")]
    public static IResourceBuilder<AzurePrivateEndpointResource> AddPrivateEndpoint(
        this IResourceBuilder<AzureSubnetResource> subnet,
        IResourceBuilder<IAzurePrivateEndpointTarget> target)

Can someone please confirm that Internal Container Apps Environments are not supported in Aspire?

I would appreciate suggestions on how to implement this - should I implement my own version of AddPrivateEndpoint against the AzureContainerAppEnvironmentResource? Should I publish the container apps outside of aspire and somehow deploy to an existing container apps environment? Or script the private endpoint creation once aspire deploys? Inject custom bicep templates somehow?

TLDR: Sample code has a "For more information" link on Internal Container Apps Environment - this functionality is currently missing, while the documentation does not highlight the current and/or intended scope of the integration.

[davidfowl]

@eerhardt @mitchdenny

[eerhardt]

They aren't implemented yet, but on my list of how to implement/design. At a high-level I imagine that AzureContainerAppEnvironmentResource will implement IAzurePrivateEndpointTarget at some future date.

One thing you can do today is is disable public network access:

var aca = builder.AddAzureContainerAppEnvironment("aca")
    .ConfigureInfrastructure(infra =>
    {
        var env = infra.GetProvisionableResources().OfType<ContainerAppManagedEnvironment>().Single();

        env.PublicNetworkAccess = ContainerAppPublicNetworkAccess.Disabled;
    });

Adding the private DNS zones and private endpoint is a bit harder - thus why it isn't done yet. But it should be possible using Azure.Provisioning.Dns and Azure.Provisioning.Network APIs - dropping down to the C# bicep APIs to get the correct bicep generated.

I opened Support ACA Private Endpoints (microsoft/aspire#16213) to track this work.