Update per cachai review.

v-jaswel · v-jaswel · commit 1783cfce9254 · 2025-05-01T15:21:51.000-07:00
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -347,8 +347,8 @@
   items:
     - name: Overview
       href: networking.md
-    - name: Configuration
-      href: networking-configuration.md
+    - name: Environment-level networking
+      href: environment-level-networking.md
     - name: Ingress
       items:
         - name: Overview
@@ -388,7 +388,7 @@
           items:
           - name: Use rule-based routing
             href: rule-based-routing.md
-          - name: Configure a custom domain
+          - name: Use a custom domain with rule-based routing
             href: rule-based-routing-custom-domain.md
         - name: Securing a custom VNET with an NSG
           href: firewall-integration.md
diff --git a/articles/container-apps/custom-virtual-networks.md b/articles/container-apps/custom-virtual-networks.md
@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic:  conceptual
-ms.date: 11/21/2023
+ms.date: 05/01/2025
 ms.author: cshoe
 ---
 
@@ -123,35 +123,41 @@ If you're using the CLI, the parameter to define the subnet resource ID is `infr
 
 If you're using the Azure CLI with a Consumption only environment and the [platformReservedCidr](vnet-custom-internal.md#networking-parameters) range is defined, both subnets must not overlap with the IP range defined in `platformReservedCidr`.
 
-## <a name="private-endpoint"></a>Private endpoint (preview)
+## NAT gateway integration
+
+You can use NAT Gateway to simplify outbound connectivity for your outbound internet traffic in your virtual network in a workload profiles environment.
 
-Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space. 
+When you configure a NAT Gateway on your subnet, the NAT Gateway provides a static public IP address for your environment. All outbound traffic from your container app is routed through the NAT Gateway's static public IP address.
 
-This feature is supported for both Consumption and Dedicated plans in workload profile environments.
+## Managed resources
 
-#### Tutorials
-- To learn more about how to configure private endpoints in Azure Container Apps, see the [Use a private endpoint with an Azure Container Apps environment](how-to-use-private-endpoint.md) tutorial.
-- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to [create a private link with Azure Front Door](how-to-integrate-with-azure-front-door.md) for more information.
+When you deploy an internal or an external environment into your own network, a new resource group is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform. Don't modify the services in this group or the resource group itself.
 
-#### Considerations
-- Private endpoints on Azure Container Apps only support inbound HTTP traffic. TCP traffic isn't supported.
-- To use a private endpoint with a custom domain and an *Apex domain* as the *Hostname record type*, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom domain with CNAME, the setup is unchanged. For more information, see [Set up custom domain with existing certificate](custom-domains-certificates.md).
-- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
-- You can add a private endpoint to both new and existing workload profile environments.
+# [Workload profiles environment](#tab/workload-profiles-env)
 
-In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
+The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `ME_` by default, and the resource group name *can* be customized as you create your container app environment.
 
-| Service | subresource | Private DNS zone name |
-|--|--|--|
-| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
+For external environments, the resource group contains a public IP address used specifically for inbound connectivity to your external environment and a load balancer. For internal environments, the resource group only contains a [Load Balancer](https://azure.microsoft.com/pricing/details/load-balancer/).
 
-You can also [use private endpoints with a private connection to Azure Front Door](how-to-integrate-with-azure-front-door.md) in place of Application Gateway. This feature is in preview.
+In addition to the standard [Azure Container Apps billing](./billing.md), you're billed for:
 
-## NAT gateway integration
+- One standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for egress if using an internal or external environment, plus one standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for ingress if using an external environment. If you need more public IPs for egress due to SNAT issues, [open a support ticket to request an override](https://azure.microsoft.com/support/create-ticket/).
 
-You can use NAT Gateway to simplify outbound connectivity for your outbound internet traffic in your virtual network in a workload profiles environment.
+- One standard [load balancer](https://azure.microsoft.com/pricing/details/load-balancer/).
 
-When you configure a NAT Gateway on your subnet, the NAT Gateway provides a static public IP address for your environment. All outbound traffic from your container app is routed through the NAT Gateway's static public IP address.
+- The cost of data processed (in GBs) includes both ingress and egress for management operations.
+
+# [Consumption only environment](#tab/consumption-only-env)
+
+The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `MC_` by default, and the resource group name *can't* be customized when you create a container app. The resource group contains public IP addresses used specifically for outbound connectivity from your environment and a load balancer.
+
+In addition to the standard [Azure Container Apps billing](./billing.md), you're billed for:
+
+- One standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for egress. If you need more IPs for egress due to Source Network Address Translation (SNAT) issues, [open a support ticket to request an override](https://azure.microsoft.com/support/create-ticket/).
+
+- Two standard [load balancers](https://azure.microsoft.com/pricing/details/load-balancer/) if using an internal environment, or one standard [load balancer](https://azure.microsoft.com/pricing/details/load-balancer/) if using an external environment. Each load balancer has fewer than six rules. The cost of data processed (in GBs) includes both ingress and egress for management operations.
+
+---
 
 ## Next steps
 
diff --git a/articles/container-apps/environment-level-networking.md b/articles/container-apps/environment-level-networking.md
@@ -1,47 +1,17 @@
 ---
-title: Networking configuration in Azure Container Apps environment
-description: Learn how to configure networking in Azure Container Apps.
+title: Networking configuration in an Azure Container Apps environment
+description: Learn how to configure networking in an Azure Container Apps environment.
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic:  conceptual
-ms.date: 04/11/2025
+ms.date: 05/01/2025
 ms.author: cshoe
 ---
 
-# Networking configuration in Azure Container Apps environment
+# Networking in an Azure Container Apps environment
 
-Azure Container Apps run in the context of an environment, with its own virtual network (VNet). This VNet creates a secure boundary around your Azure Container Apps [environment](environment.md). This article tells you how to configure your VNet.
-
-## Managed resources
-
-When you deploy an internal or an external environment into your own network, a new resource group is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform. Don't modify the services in this group or the resource group itself.
-
-# [Workload profiles environment](#tab/workload-profiles-env)
-
-The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `ME_` by default, and the resource group name *can* be customized as you create your container app environment.
-
-For external environments, the resource group contains a public IP address used specifically for inbound connectivity to your external environment and a load balancer. For internal environments, the resource group only contains a [Load Balancer](https://azure.microsoft.com/pricing/details/load-balancer/).
-
-In addition to the standard [Azure Container Apps billing](./billing.md), you're billed for:
-
-- One standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for egress if using an internal or external environment, plus one standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for ingress if using an external environment. If you need more public IPs for egress due to SNAT issues, [open a support ticket to request an override](https://azure.microsoft.com/support/create-ticket/).
-
-- One standard [load balancer](https://azure.microsoft.com/pricing/details/load-balancer/).
-
-- The cost of data processed (in GBs) includes both ingress and egress for management operations.
-
-# [Consumption only environment](#tab/consumption-only-env)
-
-The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `MC_` by default, and the resource group name *can't* be customized when you create a container app. The resource group contains public IP addresses used specifically for outbound connectivity from your environment and a load balancer.
-
-In addition to the standard [Azure Container Apps billing](./billing.md), you're billed for:
-
-- One standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for egress. If you need more IPs for egress due to Source Network Address Translation (SNAT) issues, [open a support ticket to request an override](https://azure.microsoft.com/support/create-ticket/).
-
-- Two standard [load balancers](https://azure.microsoft.com/pricing/details/load-balancer/) if using an internal environment, or one standard [load balancer](https://azure.microsoft.com/pricing/details/load-balancer/) if using an external environment. Each load balancer has fewer than six rules. The cost of data processed (in GBs) includes both ingress and egress for management operations.
-
----
+Azure Container Apps run in the context of an environment, with its own virtual network (VNet). This VNet creates a secure boundary around your Azure Container Apps [environment](environment.md). This article tells you how to configure networking in your environment.
 
 ## <a name="peer-to-peer-encryption"></a> Peer-to-peer encryption in the Azure Container Apps environment
 
diff --git a/articles/container-apps/networking.md b/articles/container-apps/networking.md
@@ -4,8 +4,8 @@ description: Learn about virtual networks in Azure Container Apps.
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
-ms.topic:  conceptual
-ms.date: 04/11/2025
+ms.topic: conceptual
+ms.date: 05/01/2025
 ms.author: cshoe
 ---
 
@@ -40,11 +40,6 @@ Use an existing VNet when you need Azure networking features like:
 - Control over outbound traffic from your container app
 - Access to resources behind private endpoints in your virtual network
 
-Use a generated VNet when you do not need these features. Generated VNets only support a limited subset of networking capabilities such as:
-
-- Ingress IP restrictions
-- Container app level ingress controls
-
 If you use an existing VNet, you need to provide a subnet that is dedicated exclusively to the Container App environment you deploy. This subnet isn't available to other services. For more information see [Virtual network configuration](custom-virtual-networks.md).
 
 ## Accessibility level
@@ -69,33 +64,46 @@ In order to create private endpoints on your Azure Container App environment, pu
 
 Azure networking policies are supported with the public network access flag.
 
-### Ingress configuration
+## <a name="private-endpoint"></a>Private endpoint (preview)
 
-Under the [ingress](azure-resource-manager-api-spec.md#propertiesconfiguration) section, you can configure the following settings:
+Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space. 
 
-- Ingress: You can enable or disable ingress for your container app.
+This feature is supported for both Consumption and Dedicated plans in workload profile environments.
 
-- Ingress traffic: You can accept traffic to your container app from anywhere, or you can limit it to traffic from within the same Container Apps environment.
+#### Tutorials
+- To learn more about how to configure private endpoints in Azure Container Apps, see the [Use a private endpoint with an Azure Container Apps environment](how-to-use-private-endpoint.md) tutorial.
+- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to [create a private link with Azure Front Door](how-to-integrate-with-azure-front-door.md) for more information.
 
-- Traffic split rules: You can define traffic splitting rules between different revisions of your application. For more information, see [Traffic splitting](traffic-splitting.md).
+#### Considerations
+- To use a private endpoint, you must disable [public network access](#public-network-access). By default, public network access is enabled, which means private endpoints are disabled.
+- Private endpoints only support inbound HTTP traffic. TCP traffic isn't supported.
+- To use a private endpoint with a custom domain and an *Apex domain* as the *Hostname record type*, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom domain with CNAME, the setup is unchanged. For more information, see [Set up custom domain with existing certificate](custom-domains-certificates.md).
+- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
+- You can add a private endpoint to both new and existing workload profile environments.
 
-For more information about different networking scenarios, see [Ingress in Azure Container Apps](ingress-overview.md).
+In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
 
-### Environment security
+| Service | subresource | Private DNS zone name |
+|--|--|--|
+| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
 
-:::image type="content" source="media/networking/locked-down-network.png" alt-text="Diagram of how to fully lock down your network for Container Apps.":::
+You can also [use private endpoints with a private connection to Azure Front Door](how-to-integrate-with-azure-front-door.md) in place of Application Gateway. This feature is in preview.
 
-You can fully secure your ingress and egress networking traffic workload profiles environment by taking the following actions:
+### Ingress configuration
 
-- Create your internal container app environment in a workload profiles environment. For steps, refer to [Manage workload profiles with the Azure CLI](./workload-profiles-manage-cli.md#create).
+Under the [ingress](azure-resource-manager-api-spec.md#propertiesconfiguration) section, you can configure the following settings:
 
-- Integrate your Container Apps with an [Application Gateway](./waf-app-gateway.md).
+- Ingress: You can enable or disable ingress for your container app.
 
-- Configure UDR to route all traffic through [Azure Firewall](./user-defined-routes.md).
+- Ingress traffic: You can accept traffic to your container app from anywhere, or you can limit it to traffic from within the same Container Apps environment.
+
+- Traffic split rules: You can define traffic splitting rules between different revisions of your application. For more information, see [Traffic splitting](traffic-splitting.md).
+
+For more information about different networking scenarios, see [Ingress in Azure Container Apps](ingress-overview.md).
 
 ## Inbound features
 
-|Feature  |Learn how to  |
+|Feature |Learn how to |
 |---------|---------|
 |[Ingress](ingress-overview.md)<br><br>[Configure ingress](ingress-how-to.md) | Control the routing of external and internal traffic to your container app. |
 |[IP restrictions](ip-restrictions.md) | Restrict inbound traffic to your container app by IP address. |
@@ -110,15 +118,15 @@ You can fully secure your ingress and egress networking traffic workload profile
 
 ## Outbound features
 
-|Feature  |Learn how to |
+|Feature |Learn how to |
 |---------|---------|
 |[Using Azure Firewall](using-azure-firewall.md) | Use Azure Firewall to control outbound traffic from your container app. |
 |[Securing a existing VNet with an NSG](firewall-integration.md) | Secure your container app environment's VNet with a Network Security Group (NSG). |
 |[NAT gateway integration](custom-virtual-networks.md#nat-gateway-integration)| Use NAT Gateway to simplify outbound internet connectivity in your virtual network in a workload profiles environment. |
 
 ## Tutorials
 
-|Tutorial  |Learn about how to |
+|Tutorial |Learn how to |
 |---------|---------|
 |[Use a virtual network](vnet-custom.md) | Use a virtual network. |
 |[Configure WAF Application Gateway](waf-app-gateway.md) | Configure a WAF application gateway. |
@@ -128,6 +136,18 @@ You can fully secure your ingress and egress networking traffic workload profile
 |[Use a private endpoint](how-to-use-private-endpoint.md) (preview) | Use a private endpoint to securely access your Azure Container App without exposing it to the public Internet. |
 |[Integrate with Azure Front Door](how-to-integrate-with-azure-front-door.md) (preview) | Connect directly from Azure Front Door to your Azure Container Apps using a private link instead of the public internet. |
 
+### Environment security
+
+:::image type="content" source="media/networking/locked-down-network.png" alt-text="Diagram of how to fully lock down your network for Container Apps.":::
+
+You can fully secure your ingress and egress networking traffic workload profiles environment by taking the following actions:
+
+- Create your internal container app environment in a workload profiles environment. For steps, refer to [Manage workload profiles with the Azure CLI](./workload-profiles-manage-cli.md#create).
+
+- Integrate your Container Apps with an [Application Gateway](./waf-app-gateway.md).
+
+- Configure UDR to route all traffic through [Azure Firewall](./user-defined-routes.md).
+
 ## HTTP edge proxy behavior
 
 Azure Container Apps uses an edge HTTP proxy that terminates Transport Layer Security (TLS) and routes requests to each application.
