You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-apps/firewall-integration.md
+8-30Lines changed: 8 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,12 +12,11 @@ ms.author: jennylaw
12
12
13
13
# Securing a custom VNET in Azure Container Apps
14
14
15
-
Firewall settings Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.
15
+
Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.
16
16
17
-
Some outbound dependencies of Azure Kubernetes Service (AKS) clusters rely exclusively on fully qualified domain names (FQDN), therefore securing an AKS cluster purely with NSGs isn't possible. Refer to [Control egress traffic for cluster nodes in Azure Kubernetes Service](../aks/limit-egress-traffic.md) for details.
17
+
You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container App Environment.
18
18
19
-
* You can lock down a network via NSGs with more restrictive rules than the default NSG rules.
20
-
* To fully secure a cluster, use a combination of NSGs and a firewall.
19
+
Using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. Therefore, securing a Container App Environment with a firewall is not yet supported.
21
20
22
21
## NSG allow rules
23
22
@@ -27,8 +26,8 @@ The following tables describe how to configure a collection of NSG allow rules.
27
26
28
27
| Protocol | Port | ServiceTag | Description |
29
28
|--|--|--|--|
30
-
| Any |\*|Control plane subnet address space | Allow communication between IPs in the control plane subnet. This address is passed to as a parameter when you create an environment. For example, `10.0.0.0/21`. |
31
-
| Any |\*|App subnet address space | Allow communication between nodes in the app subnet. This address is passed as a parameter when you create an environment. For example, `10.0.8.0/21`. |
29
+
| Any |\*|Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/23`. |
30
+
| Any |\*|AzureLoadBalancer | Allow the Azure infrastructure load balancer to communicate with your environment. |
32
31
33
32
### Outbound with ServiceTags
34
33
@@ -40,29 +39,8 @@ The following tables describe how to configure a collection of NSG allow rules.
40
39
41
40
### Outbound with wild card IP rules
42
41
43
-
As the following rules require allowing all IPs, use a Firewall solution to lock down to specific FQDNs.
44
-
45
42
| Protocol | Port | IP | Description |
46
43
|--|--|--|--|
47
-
| TCP |`443`|\*| Allow all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
48
-
| UDP |`123`|\*| NTP server. If using firewall, allowlist `ntp.ubuntu.com:123`. |
49
-
| Any |\*| Control plane subnet address space | Allow communication between IPs in the control plane subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |
50
-
| Any |\*| App subnet address space | Allow communication between nodes in the App subnet. This address is passed as a parameter when you create an environment. For example, `10.0.8.0/21`. |
51
-
52
-
## Firewall configuration
53
-
54
-
### Outbound FQDN dependencies
55
-
56
-
| FQDN | Protocol | Port | Description |
57
-
|--|--|--|--|
58
-
|`*.hcp.<REGION>.azmk8s.io`| HTTPS |`443`| Required for internal AKS secure connection between nodes and control plane. |
59
-
|`mcr.microsoft.com`| HTTPS |`443`| Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images and charts (for example, coreDNS). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. |
60
-
|`*.data.mcr.microsoft.com`| HTTPS |`443`| Required for MCR storage backed by the Azure content delivery network (CDN). |
61
-
|`management.azure.com`| HTTPS |`443`| Required for Kubernetes operations against the Azure API. |
62
-
|`login.microsoftonline.com`| HTTPS |`443`| Required for Azure Active Directory authentication. |
63
-
|`packages.microsoft.com`| HTTPS |`443`| This address is the Microsoft packages repository used for cached apt-get operations. Example packages include Moby, PowerShell, and Azure CLI. |
64
-
|`acs-mirror.azureedge.net`| HTTPS |`443`| This address is for the repository required to download and install required binaries like `kubenet` and Azure Container Networking Interface. |
65
-
|`dc.services.visualstudio.com`| HTTPS |`443`| This endpoint is used for metrics and monitoring using Azure Monitor. |
66
-
|`*.ods.opinsights.azure.com`| HTTPS |`443`| This endpoint is used by Azure Monitor for ingesting log analytics data. |
67
-
|`*.oms.opinsights.azure.com`| HTTPS |`443`| This endpoint is used by `omsagent`, which is used to authenticate the log analytics service. |
68
-
|`*.monitoring.azure.com`| HTTPS |`443`| This endpoint is used to send metrics data to Azure Monitor. |
44
+
| TCP |`443`|\*| Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
45
+
| UDP |`123`|\*| NTP server. |
46
+
| Any |\*| Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/23`. |
0 commit comments