Upgrade HTTP endpoints to HTTPS in Azure Container Apps

[davidfowl]

Description

This PR changes how HTTP endpoints are handled when deploying to Azure Container Apps:

Problem:

• HTTP→HTTPS redirect in ACA breaks WebSocket upgrade requests (they just fail)
• Explicit ports like 8080 caused NotSupportedException at deploy time, even though they work fine for local dev
• Developers had to manually adjust endpoint configs between dev and production

Solution:

• HTTP endpoints are now automatically upgraded to HTTPS (port 443) by default
• Explicit ports specified for development are treated as dev-only hints and normalized to 80/443
• Removed NotSupportedException throws - instead logs informational messages
• Added WithHttpsUpgrade(false) on the environment to opt out and preserve HTTP scheme

Usage:

// Default: HTTP endpoints upgraded to HTTPS
builder.AddAzureContainerAppEnvironment("env");

// Opt out: preserve HTTP scheme
builder.AddAzureContainerAppEnvironment("env")
    .WithHttpsUpgrade(false);

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14267

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14267"

[Copilot]

Pull request overview

This PR addresses issues with HTTP endpoint handling in Azure Container Apps by automatically upgrading HTTP endpoints to HTTPS (port 443) by default, which prevents WebSocket upgrade failures caused by ACA's HTTP→HTTPS redirect behavior.

Changes:

• HTTP endpoints are now automatically upgraded to HTTPS (port 443) by default when deploying to Azure Container Apps
• Removed NotSupportedException for non-standard ports (8080, etc.), replacing with informational logging
• Added WithHttpsUpgrade(false) method to opt out and preserve HTTP scheme when needed

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppEnvironmentResource.cs	Added internal PreserveHttpEndpoints property to control HTTP→HTTPS upgrade behavior
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppExtensions.cs	Added public WithHttpsUpgrade() extension method to configure HTTP endpoint upgrade behavior
src/Aspire.Hosting.Azure.AppContainers/ContainerAppContext.cs	Modified endpoint processing logic to upgrade HTTP to HTTPS by default and log informational messages instead of throwing exceptions
tests/Aspire.Hosting.Azure.Tests/AzureContainerAppsTests.cs	Updated tests from expecting exceptions to verifying correct behavior; added test for HTTP preservation opt-out
tests/Aspire.Hosting.Azure.Tests/Snapshots/*.bicep	Updated snapshots to reflect HTTP→HTTPS upgrades in generated bicep (scheme, port, and environment variable values)

Comments suppressed due to low confidence (1)

src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppExtensions.cs:390

• According to the XML Documentation Standards guideline 1000002, public APIs should include practical examples using the <example> tag. This method should include an example showing how to use WithHttpsUpgrade(false) to preserve HTTP endpoints, similar to how other public extension methods in the codebase provide usage examples (e.g., PublishAsAzureContainerApp methods have examples within their <remarks> sections).

    /// <summary>
    /// Configures whether HTTP endpoints should be upgraded to HTTPS in Azure Container Apps.
    /// By default, HTTP endpoints are upgraded to HTTPS for security and WebSocket compatibility.
    /// </summary>
    /// <param name="builder">The AzureContainerAppEnvironmentResource to configure.</param>
    /// <param name="upgrade">Whether to upgrade HTTP endpoints to HTTPS. Default is true.</param>
    /// <returns><see cref="IResourceBuilder{T}"/></returns>
    /// <remarks>
    /// When disabled (<c>false</c>), HTTP endpoints will use HTTP scheme and port 80 in Azure Container Apps.
    /// Note that explicit ports specified for development (e.g., port 8080) are still normalized
    /// to standard ports (80/443) as required by Azure Container Apps.
    /// </remarks>
    public static IResourceBuilder<AzureContainerAppEnvironmentResource> WithHttpsUpgrade(this IResourceBuilder<AzureContainerAppEnvironmentResource> builder, bool upgrade = true)
    {
        builder.Resource.PreserveHttpEndpoints = !upgrade;
        return builder;
    }

[github-actions]

🎬 CLI E2E Test Recordings

The following terminal recordings are available for commit 23cb11a:

Test	Recording
CreateAndDeployToDockerCompose	▶️ View Recording
CreateAndDeployToDockerComposeInteractive	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateEmptyAppHostProject	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #21540816187}

[mitchdenny]

Question about API granularity

The WithHttpsUpgrade() API is currently at the environment level, applying to all container apps. Should there also be a per-container app override?

For example:

// Current: environment-level only
builder.AddAzureContainerAppEnvironment("env")
    .WithHttpsUpgrade(false);

// Proposed addition: per-app override
builder.AddContainer("legacy-api", "myimage")
    .WithHttpEndpoint()
    .PublishAsContainerApp(options =>
    {
        options.PreserveHttpEndpoints = true;
    });

This would allow the environment to default to HTTPS upgrade while letting specific apps opt out individually. The precedence would be: per-app setting > environment setting > default (upgrade=true).

Is this level of granularity needed, or is environment-level sufficient for the intended use cases?

[davidfowl]

Yea I went back and forth on this but you can always use PublishAsContainerApp today to override everything and set ingress data at the bicep level. That's your escape hatch here, I don't think we need resource level logic.

[davidfowl]

/deployment-test

[github-actions]

🚀 Starting deployment tests on PR #14267...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run