Networking
Virtual Network
cerebro-auth-vnet (South India, resource group testing) provides private networking for the auth environment. Services marked as internal are only reachable from within this VNet — they have no public IP.
Internal vs External Apps
| App | Visibility | Access |
|---|---|---|
| Marketing Site | External | https://agentstacktech.com |
| HITL Frontend | External | Public URL |
| Keycloak | External | Public URL |
| Review Service | External | Public URL |
| Ingest Service | External | Public URL |
| Config Service | External | Public URL |
| OpenFGA | Internal | VNet only |
| Router Service | Internal | VNet only |
| AuthStack Toolbox | Internal | No ingress |
Private DNS
The PostgreSQL server cerebro-authstack-pg is accessed via private DNS zone:
cerebro-authstack-pg.private.postgres.database.azure.com
It is linked to cerebro-auth-vnet so only apps inside the VNet can connect.
Outbound IPs
Container apps share a pool of egress IPs from the environment. If you need to whitelist AgentStack IPs in an external service, run:
az containerapp env show \
--name cerebro-auth-env \
--resource-group testing \
--query 'properties.staticIp' \
-o tsv
Custom Domain DNS (Cloudflare)
agentstacktech.com is managed in Cloudflare with:
@CNAME →agentatacktechmarketing.icydesert-76825898.southindia.azurecontainerapps.io(proxy OFF)asuidTXT → Azure domain verification token
SSL is terminated at the Azure Container App (managed certificate). Keep Cloudflare proxy off so Azure can renew the cert automatically.