Adding additional network rules for containers

pauldotyu · pauldotyu · commit f2fa75c2d6ea · 2023-12-04T14:57:40.000-08:00
diff --git a/articles/aks/limit-egress-traffic.md b/articles/aks/limit-egress-traffic.md
@@ -180,7 +180,7 @@ This section covers three network rules and an application rule you can use to c
 * The first network rule allows access to port 9000 via TCP.
 * The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
 * The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options.
-* The application rule covers all needed FQDNs accessible through TCP port 443 and port 80.
+* The fourth and fifth network rules allows access to pull containers from GitHub Container Registry (ghcr.io) and Docker Hub (docker.io).
 
 1. Create the network rules using the [`az network firewall network-rule create`][az-network-firewall-network-rule-create] command.
 
@@ -190,6 +190,10 @@ This section covers three network rules and an application rule you can use to c
     az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$LOC" --destination-ports 9000
 
     az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123
+
+    az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'ghcr' --protocols 'TCP' --source-addresses '*' --destination-fqdns ghcr.io pkg-containers.githubusercontent.com --destination-ports '443'
+
+    az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'docker' --protocols 'TCP' --source-addresses '*' --destination-fqdns docker.io registry-1.docker.io production.cloudflare.docker.com --destination-ports '443'
     ```
 
 2. Create the application rule using the [`az network firewall application-rule create`][az-network-firewall-application-rule-create] command.
@@ -384,7 +388,7 @@ To configure inbound connectivity, you need to write a DNAT rule to the Azure Fi
 2. Get the service IP using the `kubectl get svc voting-app` command.
 
    ```azurecli-interactive
-   SERVICE_IP=$(kubectl get svc voting-app -o jsonpath='{.status.loadBalancer.ingress[*].ip}')
+   SERVICE_IP=$(kubectl get svc store-front -o jsonpath='{.status.loadBalancer.ingress[*].ip}')
    ```
 
 3. Add the NAT rule using the [`az network firewall nat-rule create`][az-network-firewall-nat-rule-create] command.
