Update per cachai review

v-jaswel · v-jaswel · commit 955eb7f76be0 · 2025-04-11T10:23:28.000-07:00
diff --git a/articles/container-apps/custom-virtual-networks.md b/articles/container-apps/custom-virtual-networks.md
@@ -123,6 +123,30 @@ If you're using the CLI, the parameter to define the subnet resource ID is `infr
 
 If you're using the Azure CLI with a Consumption only environment and the [platformReservedCidr](vnet-custom-internal.md#networking-parameters) range is defined, both subnets must not overlap with the IP range defined in `platformReservedCidr`.
 
+## <a name="private-endpoint"></a>Private endpoint (preview)
+
+Azure private endpoint enables clients located in your private network to securely connect to your Azure Container Apps environment through Azure Private Link. A private link connection eliminates exposure to the public internet. Private endpoints use a private IP address in your Azure virtual network address space. 
+
+This feature is supported for both Consumption and Dedicated plans in workload profile environments.
+
+#### Tutorials
+- To learn more about how to configure private endpoints in Azure Container Apps, see the [Use a private endpoint with an Azure Container Apps environment](how-to-use-private-endpoint.md) tutorial.
+- Private link connectivity with Azure Front Door is supported for Azure Container Apps. Refer to [create a private link with Azure Front Door](how-to-integrate-with-azure-front-door.md) for more information.
+
+#### Considerations
+- Private endpoints on Azure Container Apps only support inbound HTTP traffic. TCP traffic isn't supported.
+- To use a private endpoint with a custom domain and an *Apex domain* as the *Hostname record type*, you must configure a private DNS zone with the same name as your public DNS. In the record set, configure your private endpoint's private IP address instead of the container app environment's IP address. When you configure your custom domain with CNAME, the setup is unchanged. For more information, see [Set up custom domain with existing certificate](custom-domains-certificates.md).
+- Your private endpoint's VNet can be separate from the VNet integrated with your container app.
+- You can add a private endpoint to both new and existing workload profile environments.
+
+In order to connect to your container apps through a private endpoint, you must configure a private DNS zone.
+
+| Service | subresource | Private DNS zone name |
+|--|--|--|
+| Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io |
+
+You can also [use private endpoints with a private connection to Azure Front Door](how-to-integrate-with-azure-front-door.md) in place of Application Gateway. This feature is in preview.
+
 ## NAT gateway integration
 
 You can use NAT Gateway to simplify outbound connectivity for your outbound internet traffic in your virtual network in a workload profiles environment.
diff --git a/articles/container-apps/firewall-integration.md b/articles/container-apps/firewall-integration.md
@@ -15,7 +15,12 @@ Network Security Groups (NSGs) needed to configure virtual networks closely rese
 
 You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container Apps environment at the subscription level.
 
-In the workload profiles environment, user-defined routes (UDRs) and [securing outbound traffic with a firewall](./using-azure-firewall.md) are supported. When using an external workload profiles environment, inbound traffic to Azure Container Apps is routed through the public IP that exists in the [managed resource group](./networking-configuration.md#ports-and-ip-addresses) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment isn't supported. For more information, see [Control outbound traffic with user defined routes](./user-defined-routes.md).
+In the workload profiles environment, user-defined routes (UDRs) and [securing outbound traffic with a firewall](./using-azure-firewall.md) are supported.
+
+> [!NOTE]
+> For a guide on how to set up UDR with Container Apps to restrict outbound traffic with Azure Firewall, visit the how to for [Container Apps and Azure Firewall](user-defined-routes).
+
+When using an external workload profiles environment, inbound traffic to Azure Container Apps is routed through the public IP that exists in the [managed resource group](./networking-configuration.md#ports-and-ip-addresses) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment isn't supported. For more information, see [Control outbound traffic with user defined routes](./user-defined-routes.md).
 
 In the Consumption only environment, express routes aren't supported, and custom user-defined routes (UDRs) have limited support. For more information on the level of UDR support available in a Consumption-only environment, see the [FAQ](faq.yml#do-consumption-only-environments-support-custom-user-defined-routes-).
 
@@ -51,7 +56,6 @@ The following tables describe how to configure a collection of NSG allow rules.
 <sup>1</sup> This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`.   
 <sup>2</sup> The full range is required when creating your Azure Container Apps as a port within the range will by dynamically allocated. Once created, the required ports are two immutable, static values, and you can update your NSG rules.
 
-
 ### Outbound 
 
 # [Workload profiles environment](#tab/workload-profiles)
diff --git a/articles/container-apps/networking-configuration.md b/articles/container-apps/networking-configuration.md
@@ -5,60 +5,14 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic:  conceptual
-ms.date: 04/03/2025
+ms.date: 04/11/2025
 ms.author: cshoe
 ---
 
 # Networking configuration in Azure Container Apps environment
 
 Azure Container Apps run in the context of an environment, with its own virtual network (VNet). This VNet creates a secure boundary around your Azure Container Apps [environment](environment.md). This article tells you how to configure your VNet.
 
-## HTTP edge proxy behavior
-
-Azure Container Apps uses an edge HTTP proxy that terminates Transport Layer Security (TLS) and routes requests to each application.
-
-HTTP applications scale based on the number of HTTP requests and connections. Envoy routes internal traffic inside clusters.
-
-Downstream connections support HTTP1.1 and HTTP2 and Envoy automatically detects and upgrades connections if the client connection requires an upgrade.
-
-Upstream connections are defined by setting the `transport` property on the [ingress](azure-resource-manager-api-spec.md#propertiesconfiguration) object.
-
-### Ingress configuration
-
-Under the [ingress](azure-resource-manager-api-spec.md#propertiesconfiguration) section, you can configure the following settings:
-
-- Ingress: You can enable or disable ingress for your container app.
-
-- Ingress traffic: You can accept traffic to your container app from anywhere, or you can limit it to traffic from within the same Container Apps environment.
-
-- Traffic split rules: You can define traffic splitting rules between different revisions of your application. For more information, see [Traffic splitting](traffic-splitting.md).
-
-For more information about different networking scenarios, see [Ingress in Azure Container Apps](ingress-overview.md).
-
-## Portal dependencies
-
-For every app in Azure Container Apps, there are two URLs.
-
-The Container Apps runtime initially generates a fully qualified domain name (FQDN) used to access your app. See the *Application Url* in the *Overview* window of your container app in the Azure portal for the FQDN of your container app.
-
-A second URL is also generated for you. This location grants access to the log streaming service and the console. If necessary, you may need to add `https://azurecontainerapps.dev/` to the allowlist of your firewall or proxy.
-
-## Ports and IP addresses
-
-The following ports are exposed for inbound connections.
-
-| Protocol | Port(s) |
-|--|--|
-| HTTP/HTTPS | 80, 443 |
-
-IP addresses are broken down into the following types:
-
-| Type | Description |
-|--|--|
-| Public inbound IP address | Used for application traffic in an external deployment, and management traffic in both internal and external deployments. |
-| Outbound public IP | Used as the "from" IP for outbound connections that leave the virtual network. These connections aren't routed down a VPN. Outbound IPs may change over time. Using a NAT gateway or other proxy for outbound traffic from a Container Apps environment is only supported in a [workload profiles environment](workload-profiles-overview.md). |
-| Internal load balancer IP address | This address only exists in an [internal environment](networking.md#accessibility-level). |
-
 ## Managed resources
 
 When you deploy an internal or an external environment into your own network, a new resource group is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform. Don't modify the services in this group or the resource group itself.
diff --git a/articles/container-apps/networking.md b/articles/container-apps/networking.md
