diff --git a/.container_apps/onboarding-ms/container_app.tf b/.container_apps/onboarding-ms/container_app.tf
index 30a5fbb50..b8bc207dc 100644
--- a/.container_apps/onboarding-ms/container_app.tf
+++ b/.container_apps/onboarding-ms/container_app.tf
@@ -84,3 +84,20 @@ resource "azurerm_key_vault_access_policy" "keyvault_containerapp_access_policy"
     "Get",
   ]
 }
+
+data "azurerm_resource_group" "rg_vnet" {
+  name     = format("%s-vnet-rg", local.project)
+}
+
+data "azurerm_private_dns_zone" "private_azurecontainerapps_io" {
+  name                = local.container_app_environment_dns_zone_name
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+}
+
+resource "azurerm_private_dns_a_record" "private_dns_record_a_azurecontainerapps_io" {
+  name                = "${azapi_resource.container_app_onboarding_ms.name}.${trimsuffix(data.azurerm_container_app_environment.container_app_environment.default_domain, ".${local.container_app_environment_dns_zone_name}")}"
+  zone_name           = data.azurerm_private_dns_zone.private_azurecontainerapps_io.name
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+  ttl                 = 3600
+  records             = [data.azurerm_container_app_environment.container_app_environment.static_ip_address]
+}
diff --git a/.container_apps/onboarding-ms/locals.tf b/.container_apps/onboarding-ms/locals.tf
index 780e06b56..669912c50 100644
--- a/.container_apps/onboarding-ms/locals.tf
+++ b/.container_apps/onboarding-ms/locals.tf
@@ -2,6 +2,8 @@ locals {
   project  = "${var.prefix}-${var.env_short}"
   app_name = "onboarding-ms"
 
+  container_app_environment_dns_zone_name = "azurecontainerapps.io"
+
   secrets = [for secret in var.key_vault.secrets_names :
     {
       identity    = "system"