Updates per cachai.

Author: v-jaswel

articles/container-apps/custom-virtual-networks.md

@@ -61,14 +61,14 @@ Different environment types have different subnet requirements:
 
     | Subnet Size | Available IP Addresses<sup>1</sup> | Max nodes (Dedicated workload profile)<sup>2</sup>| Max replicas (Consumption workload profile)<sup>2</sup> |
     |--|--|--|--|
-    | /23 | 500 | 250 | 2,500 |
-    | /24 | 244 | 122 | 1,220 |
-    | /25 | 116 | 58 | 580 |
-    | /26 | 52 | 26 | 260 |
-    | /27 | 20 | 10 | 100 |
-
-    <sup>1</sup> The available IP addresses are the size of the subnet minus the 12 IP addresses required for Azure Container Apps infrastructure.  
-    <sup>2</sup> This is accounting for apps in single revision mode. 
+    | /23 | 495 | 247 | 2,470 |
+    | /24 | 239 | 119 | 1,190 |
+    | /25 | 111 | 55 | 550 |
+    | /26 | 47 | 23 | 230 |
+    | /27 | 15 | 7 | 70 |
+
+    <sup>1</sup> The available IP addresses is the size of the subnet minus the 12 IP addresses required for Azure Container Apps infrastructure and 5 IP addresses reserved by the subnet.  
+    <sup>2</sup> This is accounting for apps in single revision mode.  
 
 # [Consumption-only environment](#tab/consumption-only-env)
 

articles/container-apps/firewall-integration.md

@@ -4,12 +4,12 @@ description: Firewall settings to secure a virtual network in Azure Container Ap
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
-ms.topic:  reference
-ms.date: 01/09/2025
+ms.topic: reference
+ms.date: 04/08/2025
 ms.author: cshoe
 ---
 
-# Securing a virtual network in Azure Container Apps  with Network Security Groups
+# Securing a virtual network in Azure Container Apps with Network Security Groups
 
 Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.
 
@@ -87,14 +87,16 @@ The following tables describe how to configure a collection of NSG allow rules.
 | TCP | Your container app's subnet | \* | `Storage.<Region>` | `443` | Only required when using `Azure Container Registry` to host your images. |
 | TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |
 
-
 ---
 
 <sup>1</sup> This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`.  
 <sup>2</sup> If you're using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Azure Container Apps to pull images through the virtual network. You don't need to add an NSG rule for ACR when configured with private endpoints.
 
-
 #### Considerations
 
 - If you're running HTTP servers, you might need to add ports `80` and `443`.
 - Don't explicitly deny the Azure DNS address `168.63.129.16` in the outgoing NSG rules, or your Container Apps environment doesn't function.
+
+## Next steps
+
+- [Use a private endpoint](how-to-use-private-endpoint.md)

articles/container-apps/networking.md

@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic:  conceptual
-ms.date: 04/03/2025
+ms.date: 04/08/2025
 ms.author: cshoe
 ---
 
@@ -95,10 +95,11 @@ Azure networking policies are supported with the public network access flag.
 
 ## Outbound features
 
-|Feature  |Learn how to  |
+|Feature  |Learn how to |
 |---------|---------|
 |[Using Azure Firewall](using-azure-firewall.md) | Use Azure Firewall to control outbound traffic from your container app. |
 |[Securing a existing VNet with an NSG](firewall-integration.md) | Secure your container app environment's VNet with a Network Security Group (NSG). |
+|[NAT gateway integration](custom-virtual-networks.md#nat-gateway-integration)| Use NAT Gateway to simplify outbound internet connectivity in your virtual network in a workload profiles environment. |
 
 ## Environment security