You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-apps/firewall-integration.md
+11-10Lines changed: 11 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: container-apps
5
5
author: CaryChai
6
6
ms.service: azure-container-apps
7
7
ms.topic: reference
8
-
ms.date: 08/29/2023
8
+
ms.date: 01/09/2025
9
9
ms.author: cachai
10
10
---
11
11
@@ -17,7 +17,7 @@ You can lock down a network via NSGs with more restrictive rules than the defaul
17
17
18
18
In the workload profiles environment, user-defined routes (UDRs) and [securing outbound traffic with a firewall](./networking.md#configuring-udr-with-azure-firewall) are supported. When using an external workload profiles environment, inbound traffic to Azure Container Apps is routed through the public IP that exists in the [managed resource group](./networking.md#workload-profiles-environment-2) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment isn't supported. For more information, see [Networking in Azure Container Apps environments](./networking.md#user-defined-routes-udr).
19
19
20
-
In the Consumption only environment, express routes are not supported, and custom user-defined routes (UDRs) have limited support. For more details on what level of UDR support is available on Consumption only environment, see the [FAQ](faq.yml#do-consumption-only-environments-support-custom-user-defined-routes-).
20
+
In the Consumption only environment, express routes aren't supported, and custom user-defined routes (UDRs) have limited support. For more information on the level of UDR support available in a Consumption-only environment, see the [FAQ](faq.yml#do-consumption-only-environments-support-custom-user-defined-routes-).
21
21
22
22
## NSG allow rules
23
23
@@ -32,7 +32,7 @@ The following tables describe how to configure a collection of NSG allow rules.
| TCP | Your client IPs |\*| Your container app's subnet<sup>1</sup> |`80`, `31080`| Allow your Client IPs to access Azure Container Apps when using HTTP. `31080` is the port on which the Container Apps Environment Edge Proxy responds to the HTTP traffic. It is behind the internal load balancer. |
35
+
| TCP | Your client IPs |\*| Your container app's subnet<sup>1</sup> |`80`, `31080`| Allow your Client IPs to access Azure Container Apps when using HTTP. `31080` is the port on which the Container Apps Environment Edge Proxy responds to the HTTP traffic. It is behind the internal load balancer. |
36
36
| TCP | Your client IPs |\*| Your container app's subnet<sup>1</sup> |`443`, `31443`| Allow your Client IPs to access Azure Container Apps when using HTTPS. `31443` is the port on which the Container Apps Environment Edge Proxy responds to the HTTPS traffic. It is behind the internal load balancer. |
37
37
| TCP | AzureLoadBalancer |\*| Your container app's subnet |`30000-32767`<sup>2</sup> | Allow Azure Load Balancer to probe backend pools. |
38
38
@@ -59,11 +59,12 @@ The following tables describe how to configure a collection of NSG allow rules.
59
59
|--|--|--|--|--|--|
60
60
| TCP | Your container app's subnet |\*|`MicrosoftContainerRegistry`|`443`| This is the service tag for Microsoft container registry for system containers. |
61
61
| TCP | Your container app's subnet |\*|`AzureFrontDoor.FirstParty`|`443`| This is a dependency of the `MicrosoftContainerRegistry` service tag. |
62
-
| Any | Your container app's subnet |\*| Your container app's subnet |\*| Allow communication between IPs in your container app's subnet. |
63
-
| TCP | Your container app's subnet |\*|`AzureActiveDirectory`|`443`| If you're using managed identity, this is required. |
62
+
| Any | Your container app's subnet |\*| Your container app's subnet |\*| Allow communication between IPs in your container app's subnet. |
63
+
| TCP | Your container app's subnet |\*|`AzureActiveDirectory`|`443`|
64
+
If you're using a managed identity, it's required. |
64
65
| TCP | Your container app's subnet |\*|`AzureMonitor`|`443`| Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |
65
-
| TCP and UDP | Your container app's subnet |\*|`168.63.129.16`|`53`| Enables the environment to use Azure DNS to resolve the hostname. |
66
-
| TCP | Your container app's subnet<sup>1</sup> |\*| Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port will be your container registry's port unless using private endpoints.<sup>2</sup> |
66
+
| TCP and UDP | Your container app's subnet |\*|`168.63.129.16`|`53`| Enables the environment to use Azure DNS to resolve the hostname. <br><br>**Note**: DNS communication to Azure DNS isn't subject to NSGs unless targeted using the `AzurePlatformDNS` service tag. To block DNS traffic, create an outbound rule to deny traffic to the `AzurePlatformDNS` service tag. |
67
+
| TCP | Your container app's subnet<sup>1</sup> |\*| Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port is your container registry's port unless using private endpoints.<sup>2</sup> |
67
68
| TCP | Your container app's subnet |\*|`Storage.<Region>`|`443`| Only required when using `Azure Container Registry` to host your images. |
68
69
69
70
@@ -81,8 +82,8 @@ The following tables describe how to configure a collection of NSG allow rules.
81
82
| TCP | Your container app's subnet |\*|`AzureCloud`|`443`| Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
| Any | Your container app's subnet |\*| Your container app's subnet |\*| Allow communication between IPs in your container app's subnet. |
84
-
| TCP and UDP | Your container app's subnet |\*|`168.63.129.16`|`53`| Enables the environment to use Azure DNS to resolve the hostname. |
85
-
| TCP | Your container app's subnet<sup>1</sup> |\*| Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port will be your container registry's port unless using private endpoints.<sup>2</sup> |
85
+
| TCP and UDP | Your container app's subnet |\*|`168.63.129.16`|`53`| Enables the environment to use Azure DNS to resolve the hostname. <br><br>**Note**: DNS communication to Azure DNS isn't subject to NSGs unless targeted using the `AzurePlatformDNS` service tag. To block DNS traffic, create an outbound rule to deny traffic to the `AzurePlatformDNS` service tag.|
86
+
| TCP | Your container app's subnet<sup>1</sup> |\*| Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port is your container registry's port unless using private endpoints.<sup>2</sup> |
86
87
| TCP | Your container app's subnet |\*|`Storage.<Region>`|`443`| Only required when using `Azure Container Registry` to host your images. |
87
88
| TCP | Your container app's subnet |\*|`AzureMonitor`|`443`| Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |
88
89
@@ -96,4 +97,4 @@ The following tables describe how to configure a collection of NSG allow rules.
96
97
#### Considerations
97
98
98
99
- If you're running HTTP servers, you might need to add ports `80` and `443`.
99
-
- Don't explicitly deny the Azure DNS address `168.63.129.16` in the outgoing NSG rules, or your Container Apps environment won't be able to function.
100
+
- Don't explicitly deny the Azure DNS address `168.63.129.16` in the outgoing NSG rules, or your Container Apps environment doesn't function.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments