internal DNS zone for Container Apps is not being injected into my VNet

Question

internal DNS zone for Container Apps is not being injected into my VNet

DT 0

Hi there, Azure Container Apps Environments deployed with internal ingress are not injecting the required internal DNS zone into the VNet. As a result, no internal FQDNs resolve from any VM inside the same VNet, even though the environment and container apps deploy successfully and show internal ingress endpoints in the portal.

This issue persists across multiple new environments, multiple new subnets with no custom networking.

Would greatly appreciate help here.

Some additional details:

Container Apps Environment created with:
- Public access disabled
- VNet integration enabled
- Internal load balancer assigned (private VIP)
Container App created with:
- Ingress enabled
- Traffic limited to Container Apps Environment
- Internal FQDN generated, e.g.: https://mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.io/
From a VM in the same VNet using Azure DNS (168.63.129.16), DNS resolution fails: nslookup internal.eastus2.azurecontainerapps.io → NXDOMAIN The root zone (internal.eastus2.azurecontainerapps.io) does not exist, which indicates the internal DNS zone was never injected into the VNet.

Pravallika KV 12,730 Reputation points Microsoft External Staff Moderator

2026-03-12T18:25:07.7633333+00:00
Hi @DT ,

Thanks for reaching out to Microsoft Q&A.

It looks like you’ve done everything on the Container Apps side, but DNS for your internal FQDN isn’t magically “injected” into your VNet, you have to wire up that private DNS yourself or forward queries to Azure’s recursive resolver.

Follow below steps to get your *.internal.<env>.<region>.azurecontainerapps.io names to resolve from your VMs:

Verify your environment is really deployed with internal ingress and in the VNet

Run

az containerapp env show \ -n <YourEnvName> \ -g <YourEnvRG> \ --query "{subnet:infrastructureSubnetId, dnsSuffix:customDomainConfiguration.customDomainLabel}"

Confirm you see a non-null infrastructureSubnetId and your DNS suffix looks like
`mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.io`

Get the internal (ILB) IP address of your environment

Look in the MC_… resource group that Azure Container Apps created—find the Load Balancer resource and note its private frontend IP

Create an Azure Private DNS zone for your default domain

In the Portal or via CLI, make a Private DNS zone named exactly
`<UNIQUE_ENV_ID>.internal.<REGION>.azurecontainerapps.io`
(e.g. bravewater-d9e2aebd.eastus2.internal.eastus2.azurecontainerapps.io - check your actual suffix!)

In that zone, add an “A” record:

Name: * (or your app-specific host if you prefer)

IP address: the ILB frontend IP from step 2

Link that DNS zone to your VNet

In the Private DNS zone’s “Virtual network links” blade, link it to the same VNet where your VMs live (and where the Container Apps environment is deployed)

Check your VM’s DNS settings

If you’re using Azure-provided DNS, you’re done, just nslookup your FQDN and you should get the ILB IP

If you have a custom DNS server: make sure it forwards unresolved queries to Azure’s recursive resolver at 168.63.129.16 (or allow the AzurePlatformDNS service tag through your firewall/NSG)

Once your zone is linked and the record is in place, any VM in that VNet asking for

nslookup mancont312.internal.bravewater-d9e2aebd.eastus2.azurecontainerapps.io

will get back your private VIP and be able to route traffic to your container app via the internal load balancer.

Hope this helps!

References:

Deploy a Container Apps environment to a VNet

Securing a custom VNet in Azure Container Apps (NSG rules)

Private endpoints and DNS for virtual networks in Azure Container Apps environments

Azure recursive resolvers & forwarding (168.63.129.16)
Pravallika KV 12,730 Reputation points Microsoft External Staff Moderator

2026-03-13T20:08:01.35+00:00

Hi @DT ,

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Praveen Kumar Gudipudi 2,275 Reputation points Microsoft External Staff Moderator

2026-03-18T09:05:57.74+00:00

Hi @DT ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Pravallika KV 12,730 Reputation points Microsoft External Staff Moderator

2026-03-13T20:08:01.35+00:00

Hi @DT ,

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Praveen Kumar Gudipudi 2,275 Reputation points Microsoft External Staff Moderator

2026-03-18T09:05:57.74+00:00

Hi @DT ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi @DT ,

Azure Container Apps automatically manages DNS for the default *.azurecontainerapps.io domain. You do not need to manually create a Private DNS zone.

If VMs in the same VNet cannot resolve the internal FQDN, check:

Whether the VNet uses Azure DNS (168.63.129.16) or a custom DNS server.
If using custom DNS, ensure queries for *.azurecontainerapps.io are forwarded to 168.63.129.16.
Verify that no Private DNS zone exists that overrides azurecontainerapps.io or internal.<region>.azurecontainerapps.io.
Ensure NSGs or firewalls allow DNS traffic to 168.63.129.16.

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

Share via

internal DNS zone for Container Apps is not being injected into my VNet

1 answer

Your answer