cachai2 feedback.

v-jaswel · v-jaswel · commit 48bdfc6942ae · 2025-06-16T07:21:33.000-07:00
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -357,8 +357,6 @@
   items:
     - name: Overview
       href: networking.md
-    - name: Environment-level networking
-      href: environment-level-networking.md
     - name: Ingress
       items:
         - name: Overview
@@ -386,7 +384,7 @@
       href: custom-virtual-networks.md
     - name: Managing outbound connections with Azure Firewall
       href: using-azure-firewall.md
-    - name: DNS
+    - name: Private endpoints and DNS
       href: dns.md
     - name: Tutorials
       items:
diff --git a/articles/container-apps/dns.md b/articles/container-apps/dns.md
@@ -1,15 +1,15 @@
 ---
-title: Configure a DNS for virtual networks in Azure Container Apps environments
-description: Learn how to configure DNS for virtual networks in Azure Container Apps.
+title: Configure private endpoints and DNS for virtual networks in Azure Container Apps environments
+description: Learn how to configure private endpoints and DNS for virtual networks in Azure Container Apps.
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic:  conceptual
-ms.date: 10/03/2024
+ms.date: 06/16/2025
 ms.author: cshoe
 ---
 
-# DNS for virtual networks in Azure Container Apps environments
+# Private endpoints and DNS for virtual networks in Azure Container Apps environments
 
 Configuring DNS in your Azure Container Apps environment's virtual network is important for the following reasons:
 
@@ -31,6 +31,31 @@ If you plan to use VNet-scope [ingress](ingress-overview.md) in an internal envi
 
 The static IP address of the Container Apps environment is available in the Azure portal in  **Custom DNS suffix** of the container app page or using the Azure CLI `az containerapp env list` command.
 
+## <a name="private-endpoint"></a>Private endpoint
+
+Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space. 
+
+This feature is supported for both Consumption and Dedicated plans in workload profile environments.
+
+### Tutorials
+- To learn more about how to configure private endpoints in Azure Container Apps, see the [Use a private endpoint with an Azure Container Apps environment](how-to-use-private-endpoint.md) tutorial.
+- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to [create a private link with Azure Front Door](how-to-integrate-with-azure-front-door.md) for more information.
+
+### Considerations
+
+- To use a private endpoint, you must disable [public network access](#public-network-access). By default, public network access is enabled, which means private endpoints are disabled.
+- To use a private endpoint with a custom domain and an *Apex domain* as the *Hostname record type*, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom domain with CNAME, the setup is unchanged. For more information, see [Set up custom domain with existing certificate](custom-domains-certificates.md).
+- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
+- You can add a private endpoint to both new and existing workload profile environments.
+
+In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
+
+| Service | subresource | Private DNS zone name |
+|--|--|--|
+| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
+
+You can also [use private endpoints with a private connection to Azure Front Door](how-to-integrate-with-azure-front-door.md) in place of Application Gateway.
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/articles/container-apps/environment-level-networking.md b/articles/container-apps/environment-level-networking.md
diff --git a/articles/container-apps/ingress-environment-configuration.md b/articles/container-apps/ingress-environment-configuration.md
@@ -13,6 +13,8 @@ ms.custom:
 
 # Configure ingress for an Azure Container Apps environment
 
+Azure Container Apps run in the context of an environment, with its own virtual network (VNet). This VNet creates a secure boundary around your Azure Container Apps [environment](environment.md).
+
 Ingress configuration in Azure Container Apps determines how external network traffic reaches your applications. Configuring ingress enables you to control traffic routing, improve application performance, and implement advanced deployment strategies. This article guides you through the ingress configuration options available in Azure Container Apps and helps you choose the right settings for your workloads.
 
 An Azure Container Apps environment includes a scalable edge ingress proxy responsible for the following features:
@@ -110,7 +112,87 @@ You can configure the ingress for your environment after you create it.
 
 1. Select **Apply**.
 
+## Rule-based routing (preview)
+
+With rule-based routing, you create a fully qualified domain name (FQDN) on your container apps environment. You then use rules to route requests to this FQDN to different container apps, depending on the path of each request. This offers the following benefits.
+
+- Isolation: By routing different paths to different container apps, you can deploy and update individual components without affecting the entire application.
+
+- Scalability: With rule-based routing, you can scale individual container apps independently based on the traffic each container app receives.
+
+- Custom Routing Rules: You can, for example, redirect users to different versions of your application or implement A/B testing.
+
+- Security: You can implement security measures tailored to each container app. This helps you to reduce the attack surface of your application.
+
+To learn how to configure rule-based routing on your container apps environment, see [Use rule-based routing](rule-based-routing.md).
+
+## <a name="peer-to-peer-encryption"></a> Peer-to-peer encryption in the Azure Container Apps environment
+
+Azure Container Apps supports peer-to-peer TLS encryption within the environment. Enabling this feature encrypts all network traffic within the environment with a private certificate that is valid within the Azure Container Apps environment scope. Azure Container Apps automatically manages these certificates.
+
+> [!NOTE]
+> By default, peer-to-peer encryption is disabled. Enabling peer-to-peer encryption for your applications may increase response latency and reduce maximum throughput in high-load scenarios.
+
+The following example shows an environment with peer-to-peer encryption enabled.
+:::image type="content" source="media/networking/peer-to-peer-encryption-traffic-diagram.png" alt-text="Diagram of how traffic is encrypted/decrypted with peer-to-peer encryption enabled.":::
+
+<sup>1</sup> Inbound TLS traffic is terminated at the ingress proxy on the edge of the environment.
+
+<sup>2</sup> Traffic to and from the ingress proxy within the environment is TLS encrypted with a private certificate and decrypted by the receiver. 
+
+<sup>3</sup> Calls made from app A to app B's FQDN are first sent to the edge ingress proxy, and are TLS encrypted.
+
+<sup>4</sup> Calls made from app A to app B using app B's app name are sent directly to app B and are TLS encrypted. Calls between apps and [Java components](./java-overview.md#java-components-support) are treated in the same way as app to app communication and TLS encrypted.
+
+Applications within a Container Apps environment are automatically authenticated. However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in peer-to-peer encryption.
+
+When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported. To learn more, see [configure client certificates](client-certificate-authorization.md).
+
+# [Azure CLI](#tab/azure-cli)
+
+You can enable peer-to-peer encryption using the following commands.
+
+On create:
+
+```azurecli
+az containerapp env create \
+    --name <ENVIRONMENT_NAME> \
+    --resource-group <RESOURCE_GROUP> \
+    --location <LOCATION> \
+    --enable-peer-to-peer-encryption
+```
+
+For an existing container app:
+
+```azurecli
+az containerapp env update \
+    --name <ENVIRONMENT_NAME> \
+    --resource-group <RESOURCE_GROUP> \
+    --enable-peer-to-peer-encryption
+```
+
+# [ARM template](#tab/arm-template)
+
+You can enable peer-to-peer encryption in the ARM template for Container Apps environments using the following configuration.
+
+```json
+{
+  ...
+  "properties": {
+       "peerTrafficConfiguration":{
+            "encryption": {
+                "enabled": "true|false"
+            }
+        }
+  ...
+}
+```
+
+---
+
 ## Related content
 
 - [Ingress in Azure Container Apps](ingress-overview.md)
-- [Networking in Azure Container Apps](networking.md)
+- [Networking in Azure Container Apps](networking.md)
+- [Configuring virtual networks Azure Container Apps environments](custom-virtual-networks.md)
+- [Integrate a virtual network with an internal Azure Container Apps environment](vnet-custom-internal.md)
diff --git a/articles/container-apps/networking.md b/articles/container-apps/networking.md
@@ -66,31 +66,6 @@ In order to create private endpoints on your Azure Container App environment, pu
 
 Azure networking policies are supported with the public network access flag.
 
-### <a name="private-endpoint"></a>Private endpoint
-
-Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space. 
-
-This feature is supported for both Consumption and Dedicated plans in workload profile environments.
-
-#### Tutorials
-- To learn more about how to configure private endpoints in Azure Container Apps, see the [Use a private endpoint with an Azure Container Apps environment](how-to-use-private-endpoint.md) tutorial.
-- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to [create a private link with Azure Front Door](how-to-integrate-with-azure-front-door.md) for more information.
-
-#### Considerations
-
-- To use a private endpoint, you must disable [public network access](#public-network-access). By default, public network access is enabled, which means private endpoints are disabled.
-- To use a private endpoint with a custom domain and an *Apex domain* as the *Hostname record type*, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom domain with CNAME, the setup is unchanged. For more information, see [Set up custom domain with existing certificate](custom-domains-certificates.md).
-- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
-- You can add a private endpoint to both new and existing workload profile environments.
-
-In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
-
-| Service | subresource | Private DNS zone name |
-|--|--|--|
-| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
-
-You can also [use private endpoints with a private connection to Azure Front Door](how-to-integrate-with-azure-front-door.md) in place of Application Gateway.
-
 ### Ingress configuration
 
 Under the [ingress](azure-resource-manager-api-spec.md#propertiesconfiguration) section, you can configure the following settings:
@@ -108,11 +83,13 @@ For more information about different networking scenarios, see [Ingress in Azure
 |Feature |Learn how to |
 |---------|---------|
 |[Ingress](ingress-overview.md)<br><br>[Configure ingress](ingress-how-to.md) | Control the routing of external and internal traffic to your container app. |
+|[Premium ingress](ingress-environment-configuration.md) | Configure advanced ingress settings such as workload profile support for ingress and idle timeout. |
 |[IP restrictions](ip-restrictions.md) | Restrict inbound traffic to your container app by IP address. |
 |[Client certificate authentication](client-certificate-authorization.md) | Configure client certificate authentication (also known as mutual TLS or mTLS) for your container app. |
 |[Traffic splitting](traffic-splitting.md)<br><br>[Blue/Green deployment](blue-green-deployment.md) | Split incoming traffic between active revisions of your container app. |
 |[Session affinity](sticky-sessions.md) | Route all requests from a client to the same replica of your container app. |
 |[Cross origin resource sharing (CORS)](cors.md) | Enable CORS for your container app, which allows requests made through the browser to a domain that doesn't match the page's origin. |
+|[Path-based routing](rule-based-routing.md) | Use rules to route requests to different container apps in your environment, depending on the path of each request. |
 |[Virtual networks](custom-virtual-networks.md) | Configure the VNet for your container app environment. |
 |[DNS](dns.md) | Configure DNS for your container app environment's VNet. |
 |[Private endpoint](how-to-use-private-endpoint.md) | Use a private endpoint to securely access your Azure Container App without exposing it to the public Internet. |
