Update NSG, container registry

pamelafox · pamelafox · commit 287aa0ec7bfb · 2025-08-01T09:29:32.000-07:00
diff --git a/infra/core/host/container-registry.bicep b/infra/core/host/container-registry.bicep
@@ -2,7 +2,7 @@ param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param adminUserEnabled bool = true
+param adminUserEnabled bool = false
 param anonymousPullEnabled bool = false
 param dataEndpointEnabled bool = false
 param encryption object = {
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -300,7 +300,7 @@ param webAppExists bool
 @allowed(['appservice', 'containerapps'])
 param deploymentTarget string = 'appservice'
 param acaIdentityName string = deploymentTarget == 'containerapps' ? '${environmentName}-aca-identity' : ''
-param acaManagedEnvironmentName string = deploymentTarget == 'containerapps' ? '${environmentName}-aca-env' : ''
+param acaManagedEnvironmentName string = deploymentTarget == 'containerapps' ? '${environmentName}-aca-envnet' : ''
 param containerRegistryName string = deploymentTarget == 'containerapps'
   ? '${replace(toLower(environmentName), '-', '')}acr'
   : ''
@@ -1376,4 +1376,5 @@ output AZURE_CONTAINER_REGISTRY_ENDPOINT string = deploymentTarget == 'container
   ? containerApps.outputs.registryLoginServer
   : ''
 
-output AZURE_VPN_CONFIG_DOWNLOAD_LINK string = useVpnGateway ? 'https://portal.azure.com/#@${tenant().tenantId}/resource/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup.name}/providers/Microsoft.Network/virtualNetworkGateways/${isolation.outputs.virtualNetworkGatewayName}/pointtositeconfiguration' : ''
+// TODO: test this
+output AZURE_VPN_CONFIG_DOWNLOAD_LINK string = useVpnGateway ? 'https://portal.azure.com/#@${tenant().tenantId}/resource/${isolation.outputs.virtualNetworkGatewayId}/pointtositeconfiguration' : ''
diff --git a/infra/network-isolation.bicep b/infra/network-isolation.bicep
@@ -22,7 +22,7 @@ var backendSubnetName = 'backend-subnet'
 var gatewaySubnetName = 'GatewaySubnet' // Required name for Gateway subnet
 var dnsResolverSubnetName = 'dns-resolver-subnet'
 var appServiceSubnetName = 'app-service-subnet'
-var containerAppsSubnetName = 'container-apps-subnet'
+var containerAppsSubnetName = 'app-int-subnet'
 
 module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = if (deploymentTarget == 'containerapps') {
   name: 'container-apps-nsg'
@@ -31,19 +31,112 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
     location: location
     tags: tags
     securityRules: [
+      // Inbound rules for Container Apps (Workload Profiles)
       {
-        name: 'AllowHttpsInbound'
+        name: 'AllowAzureLoadBalancerInbound'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: 'Internet'
-          destinationPortRange: '443'
-          destinationAddressPrefix: '*'
+          sourceAddressPrefix: 'AzureLoadBalancer'
+          destinationPortRange: '30000-32767'
+          destinationAddressPrefix: '10.0.0.0/21' // Container apps subnet
           access: 'Allow'
           priority: 100
           direction: 'Inbound'
         }
       }
+      // Outbound rules for Container Apps (Workload Profiles)
+      {
+        name: 'AllowMicrosoftContainerRegistryOutbound'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '443'
+          destinationAddressPrefix: 'MicrosoftContainerRegistry'
+          access: 'Allow'
+          priority: 100
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowAzureFrontDoorOutbound'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '443'
+          destinationAddressPrefix: 'AzureFrontDoor.FirstParty'
+          access: 'Allow'
+          priority: 110
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowContainerAppsSubnetOutbound'
+        properties: {
+          protocol: '*'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '*'
+          destinationAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          access: 'Allow'
+          priority: 120
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowAzureActiveDirectoryOutbound'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '443'
+          destinationAddressPrefix: 'AzureActiveDirectory'
+          access: 'Allow'
+          priority: 130
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowAzureMonitorOutbound'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '443'
+          destinationAddressPrefix: 'AzureMonitor'
+          access: 'Allow'
+          priority: 140
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowAzureDnsOutbound'
+        properties: {
+          protocol: '*'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '53'
+          destinationAddressPrefix: '168.63.129.16'
+          access: 'Allow'
+          priority: 150
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'AllowStorageRegionOutbound'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationPortRange: '443'
+          destinationAddressPrefix: 'Storage.${location}'
+          access: 'Allow'
+          priority: 160
+          direction: 'Outbound'
+        }
+      }
     ]
   }
 }
@@ -253,4 +346,4 @@ output privateDnsResolverSubnetId string = useVpnGateway ? vnet.outputs.subnetRe
 output appSubnetId string = vnet.outputs.subnetResourceIds[appSubnetIndex]
 output vnetName string = vnet.outputs.name
 output vnetId string = vnet.outputs.resourceId
-output virtualNetworkGatewayName string = useVpnGateway ? virtualNetworkGateway!.outputs.name : ''
+output virtualNetworkGatewayId string = useVpnGateway ? virtualNetworkGateway!.outputs.resourceId : ''
