Skip to content

Commit 756a3e2

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #270430 from cachai2/nsgupdates
fix consumption only
2 parents aa48abc + c5fc8a3 commit 756a3e2

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

articles/container-apps/firewall-integration.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ The following tables describe how to configure a collection of NSG allow rules.
7474
7575
| Protocol | Source | Source ports | Destination | Destination ports | Description |
7676
|--|--|--|--|--|--|
77+
| TCP | Your container app's subnet | \* | `MicrosoftContainerRegistry` | `443` | This is the service tag for Microsoft container registry for system containers. |
78+
| TCP | Your container app's subnet | \* | `AzureFrontDoor.FirstParty` | `443` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |
7779
| UDP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `1194` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
7880
| TCP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `9000` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
7981
| TCP | Your container app's subnet | \* | `AzureCloud` | `443` | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
@@ -82,7 +84,6 @@ The following tables describe how to configure a collection of NSG allow rules.
8284
| TCP and UDP | Your container app's subnet | \* | `168.63.129.16` | `53` | Enables the environment to use Azure DNS to resolve the hostname. |
8385
| TCP | Your container app's subnet<sup>1</sup> | \* | Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port will be your container registry's port unless using private endpoints.<sup>2</sup> |
8486
| TCP | Your container app's subnet | \* | `Storage.<Region>` | `443` | Only required when using `Azure Container Registry` to host your images. |
85-
| TCP | Your container app's subnet | \* | `AzureFrontDoor.FirstParty` | `443` | Only required when using `Azure Container Registry` to host your images. |
8687
| TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |
8788

8889

0 commit comments

Comments
 (0)