Azure Container Apps and NAT Gateway limitations

If you’re dealing with Azure Container Apps, here is a frustrating limitation I ran into: you cannot attach a NAT Gateway directly to the infrastructure subnet of a Container App Environment if it uses the legacy Consumption profile.

Doing so causes 412 (Precondition Failed) errors. The reason is that a NAT Gateway in this setup blocks platform control-plane traffic, preventing internal Azure services from meeting the necessary preconditions to manage the environment.

To achieve static outbound IPs without breaking the control plane, Microsoft recommends using the Workload Profiles environment type (the Workload v2 Consumption plan). This modern plan allows for proper configuration of custom egress traffic through a NAT Gateway.

As a rule of thumb, always create Workload v2 plans. There’s rarely a good reason to use the legacy environments anymore. That’s a wrap.