MicrosoftDocs
diff --git a/‎articles/container-apps/custom-domains-certificates.md
Lines changed: 25 additions & 5 deletions b/‎articles/container-apps/custom-domains-certificates.md
Lines changed: 25 additions & 5 deletions
diff --git a/‎articles/container-apps/custom-domains-managed-certificates.md
Lines changed: 54 additions & 12 deletions b/‎articles/container-apps/custom-domains-managed-certificates.md
Lines changed: 54 additions & 12 deletions
diff --git a/‎articles/container-apps/ingress-overview.md
Lines changed: 8 additions & 8 deletions b/‎articles/container-apps/ingress-overview.md
Lines changed: 8 additions & 8 deletions
@@ -63,21 +63,41 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
     | Apex domain | A record | An apex domain is a domain at the root level of your domain. For example, if your DNS (Domain Name System) zone is `contoso.com`, then `contoso.com` is the apex domain. |
     | Subdomain | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
 
-1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it.
+1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
 
+    # [General](#tab/general)
+    
     - If you selected *A record*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | A | `@` | The IP address of your Container Apps environment |
-        | TXT | `asuid` | The domain verification code |
+        | A | `@` | The IP address of your Container Apps environment. |
+        | TXT | `asuid` | The domain verification code. |
 
     - If you selected *CNAME*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | CNAME | The subdomain (for example, `www`) | The automatically generated domain of your container app |
-        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code |
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+    
+    # [Private endpoint](#tab/private-endpoint)
+
+    - If you selected *A record*, you need to have a private DNS zone which has the same DNS zone name as your public DNS. Create the following DNS records on your private DNS zone:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The Private IP of your private endpoint on your container apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+
+    ---
 
 1. Select the **Validate** button.
 
 
@@ -62,21 +62,41 @@ The requirements are:
     | Apex domain | A record | An apex domain is a domain at the root level of your domain. For example, if your DNS zone is `contoso.com`, then `contoso.com` is the apex domain. |
     | Subdomain | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
 
-1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you're the owner.
+1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you're the owner. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
 
+    # [General](#tab/general)
+    
     - If you selected *A record*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | A | `@` | The IP address of your Container Apps environment |
-        | TXT | `asuid` | The domain verification code |
+        | A | `@` | The IP address of your Container Apps environment. |
+        | TXT | `asuid` | The domain verification code. |
 
     - If you selected *CNAME*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | CNAME | The subdomain (for example, `www`) | The automatically generated `<appname>.<region>.azurecontainerapps.io` domain of your container app |
-        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code |
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+    
+    # [Private endpoint](#tab/private-endpoint)
+
+    - If you selected *A record*, you need to have a private DNS zone which has the same DNS zone name as your public DNS. Create the following DNS records on your private DNS zone:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The Private IP of your private endpoint on your container apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+
+    ---
 
 1. Select **Validate**.
 
@@ -149,21 +169,43 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
 
     Replace `<CONTAINER_APP_NAME>` with the name of your container app, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app.
 
-1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it.
+1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
+
+    # [General](#tab/general)
+    
+    - If you selected *A record*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The IP address of your Container Apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+    
+    # [Private endpoint](#tab/private-endpoint)
+
+    When using a private endpoint for your incoming traffic, you need to [create a private DNS zone](how-to-use-private-endpoint.md#configure-the-private-dns-zone).    
 
-    - If you're configuring an apex domain, create the following DNS records:
+    - If you selected *A record*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | A | `@` | The IP address of your Container Apps environment |
-        | TXT | `asuid` | The domain verification code |
+        | A | `@` | The Private IP of your private endpoint on your container apps environment. |
+        | TXT | `asuid` | The domain verification code. |
 
-    - If you're configuring a subdomain, create the following DNS records:
+    - If you selected *CNAME*, create the following DNS records:
 
         | Record type | Host | Value |
         |--|--|--|
-        | CNAME | The subdomain (for example, `www`) | The automatically generated domain of your container app |
-        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code |
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+
+    ---
 
 1. Add the domain to your container app.
 
 
@@ -11,7 +11,7 @@ ms.author: cshoe
 
 # Ingress in Azure Container Apps
 
-Azure Container Apps allows you to expose your container app to the public web, your virtual network (VNET), and other container apps within your environment by enabling ingress. Ingress settings are enforced through a set of rules that control the routing of external and internal traffic to your container app.  When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTP requests or TCP traffic.
+Azure Container Apps allows you to expose your container app to the public web, your virtual network (VNET), and other container apps within your environment by enabling ingress. Ingress settings are enforced through a set of rules that control the routing of external and internal traffic to your container app. When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTP requests or TCP traffic.
 
 Ingress supports:
 
@@ -36,7 +36,7 @@ When you enable ingress, you can choose between two types of ingress:
 - External: Accepts traffic from both the public internet and your container app's internal environment.
 - Internal: Allows only internal access from within your container app's environment.
 
-Each container app within an environment can be configured with different ingress settings. For example, in a scenario with multiple microservice apps, to increase security you might have a single container app that receives public requests and passes the requests to a background service.  In this scenario, you would configure the public-facing container app with external ingress and the internal-facing container app with internal ingress.
+Each container app within an environment can be configured with different ingress settings. For example, in a scenario with multiple microservice apps, to increase security you might have a single container app that receives public requests and passes the requests to a background service. In this scenario, you would configure the public-facing container app with external ingress and the internal-facing container app with internal ingress.
 
 ## Protocol types
 
@@ -71,12 +71,12 @@ HTTP ingress adds headers to pass metadata about the client request to your cont
 Container Apps supports TCP-based protocols other than HTTP or HTTPS. For example, you can use TCP ingress to expose a container app that uses the [Redis protocol](https://redis.io/topics/protocol).
 
 > [!NOTE]
-> External TCP ingress is only supported for Container Apps environments that use a [custom VNET](vnet-custom.md).
+> External TCP ingress is only supported for Container Apps environments that use a [custom VNET](vnet-custom.md). TCP ingress is not supported for apps that accept inbound traffic through a [private endpoint](networking.md#private-endpoint).
 
 With TCP ingress enabled, your container app:
 
 - Is accessible to other container apps in the same environment via its name (defined by the `name` property in the Container Apps resource) and exposed port number.
-- Is accessible externally via its fully qualified domain name (FQDN) and exposed port number if the ingress is set to "external".
+- Is accessible externally via its fully qualified domain name (FQDN) and exposed port number if the ingress is set to `external`.
 
 ## <a name="additional-tcp-ports"></a>Additional TCP ports
 
@@ -90,7 +90,7 @@ The following apply to additional TCP ports:
 - Any externally exposed additional TCP ports must be unique across the entire Container Apps environment. This includes all external additional TCP ports, external main TCP ports, and 80/443 ports used by built-in HTTP ingress. If the additional ports are internal, the same port can be shared by multiple apps.
 - If an exposed port isn't provided, the exposed port will default to match the target port.
 - Each target port must be unique, and the same target port can't be exposed on different exposed ports.
-- There's a maximum of 5 additional ports per app. If additional ports are required, please open a support request.
+- There's a maximum of five additional ports per app. If additional ports are required, please open a support request.
 - Only the main ingress port supports built-in HTTP features such as CORS and session affinity. When running HTTP on top of the additional TCP ports, these built-in features aren't supported.
 
 Visit the [how to article on ingress](ingress-how-to.md#use-additional-tcp-ports) for more information on how to enable additional ports for your container apps.
@@ -100,7 +100,7 @@ Visit the [how to article on ingress](ingress-how-to.md#use-additional-tcp-ports
 You can access your app in the following ways:
 
 - The default fully qualified domain name (FQDN):  Each app in a Container Apps environment is automatically assigned an FQDN based on the environment's DNS suffix. To customize an environment's DNS suffix, see [Custom environment DNS Suffix](environment-custom-dns-suffix.md).
-- A custom domain name:  You can configure a custom DNS domain for your Container Apps environment.  For more information, see [Custom domain names and certificates](./custom-domains-certificates.md).
+- A custom domain name:  You can configure a custom DNS domain for your Container Apps environment. For more information, see [Custom domain names and certificates](./custom-domains-certificates.md).
 - The app name: You can use the app name for communication between apps in the same environment.
 
 To get the FQDN for your app, see [Location](connect-apps.md#location).
@@ -111,15 +111,15 @@ Container Apps supports IP restrictions for ingress. You can create rules to eit
 
 ## Authentication
 
-Azure Container Apps provides built-in authentication and authorization features to secure your external ingress-enabled container app.  For more information, see [Authentication and authorization in Azure Container Apps](authentication.md).
+Azure Container Apps provides built-in authentication and authorization features to secure your external ingress-enabled container app. For more information, see [Authentication and authorization in Azure Container Apps](authentication.md).
 
 You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see [Configure client certificates](client-certificate-authorization.md). 
 
 For details on how to use peer-to-peer environment level network encryption, see the [networking overview](./networking.md#peer-to-peer-encryption). 
 
 ## Traffic splitting
 
-Containers Apps allows you to split incoming traffic between active revisions.  When you define a splitting rule, you assign the percentage of inbound traffic to go to different revisions.  For more information, see [Traffic splitting](traffic-splitting.md).
+Containers Apps allows you to split incoming traffic between active revisions. When you define a splitting rule, you assign the percentage of inbound traffic to go to different revisions. For more information, see [Traffic splitting](traffic-splitting.md).
 
 ## Session affinity