Address PR feedback

Make helper methods for easily adding rules to subnets.

Make NSG a top-level resource.

Author: eerhardt

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/Program.cs

@@ -3,7 +3,6 @@
 
 #pragma warning disable AZPROVISION001 // Azure.Provisioning.Network is experimental
 
-using Aspire.Hosting.Azure;
 using Azure.Provisioning.Network;
 
 var builder = DistributedApplication.CreateBuilder(args);
@@ -13,80 +12,18 @@
 // - One for private endpoints
 var vnet = builder.AddAzureVirtualNetwork("vnet");
 
-var containerAppsSubnet = vnet.AddSubnet("container-apps", "10.0.0.0/23");
-var privateEndpointsSubnet = vnet.AddSubnet("private-endpoints", "10.0.2.0/27");
+var containerAppsSubnet = vnet.AddSubnet("container-apps", "10.0.0.0/23")
+    .AllowInbound(port: "443", from: "AzureLoadBalancer", protocol: SecurityRuleProtocol.Tcp)
+    .DenyInbound(from: "VirtualNetwork")
+    .DenyInbound(from: "Internet");
 
 // Create a NAT Gateway for deterministic outbound IP on the ACA subnet
 var natGateway = builder.AddNatGateway("nat");
 containerAppsSubnet.WithNatGateway(natGateway);
 
-// Create Network Security Groups for each subnet
-var acaNsg = vnet.AddNetworkSecurityGroup("aca-nsg")
-    .WithSecurityRule(new AzureSecurityRule
-    {
-        Name = "allow-https-from-azure-lb",
-        Priority = 100,
-        Direction = SecurityRuleDirection.Inbound,
-        Access = SecurityRuleAccess.Allow,
-        Protocol = SecurityRuleProtocol.Tcp,
-        SourceAddressPrefix = "AzureLoadBalancer",
-        SourcePortRange = "*",
-        DestinationAddressPrefix = "*",
-        DestinationPortRange = "443"
-    })
-    .WithSecurityRule(new AzureSecurityRule
-    {
-        Name = "deny-vnet-inbound",
-        Priority = 110,
-        Direction = SecurityRuleDirection.Inbound,
-        Access = SecurityRuleAccess.Deny,
-        Protocol = SecurityRuleProtocol.Asterisk,
-        SourceAddressPrefix = "VirtualNetwork",
-        SourcePortRange = "*",
-        DestinationAddressPrefix = "*",
-        DestinationPortRange = "*"
-    })
-    .WithSecurityRule(new AzureSecurityRule
-    {
-        Name = "deny-internet-inbound",
-        Priority = 4096,
-        Direction = SecurityRuleDirection.Inbound,
-        Access = SecurityRuleAccess.Deny,
-        Protocol = SecurityRuleProtocol.Asterisk,
-        SourceAddressPrefix = "Internet",
-        SourcePortRange = "*",
-        DestinationAddressPrefix = "*",
-        DestinationPortRange = "*"
-    });
-
-var peNsg = vnet.AddNetworkSecurityGroup("pe-nsg")
-    .WithSecurityRule(new AzureSecurityRule
-    {
-        Name = "allow-https-from-vnet",
-        Priority = 100,
-        Direction = SecurityRuleDirection.Inbound,
-        Access = SecurityRuleAccess.Allow,
-        Protocol = SecurityRuleProtocol.Tcp,
-        SourceAddressPrefix = "VirtualNetwork",
-        SourcePortRange = "*",
-        DestinationAddressPrefix = "*",
-        DestinationPortRange = "443"
-    })
-    .WithSecurityRule(new AzureSecurityRule
-    {
-        Name = "deny-all-internet-inbound",
-        Priority = 4096,
-        Direction = SecurityRuleDirection.Inbound,
-        Access = SecurityRuleAccess.Deny,
-        Protocol = SecurityRuleProtocol.Asterisk,
-        SourceAddressPrefix = "Internet",
-        SourcePortRange = "*",
-        DestinationAddressPrefix = "*",
-        DestinationPortRange = "*"
-    });
-
-containerAppsSubnet.WithNetworkSecurityGroup(acaNsg);
-privateEndpointsSubnet.WithNetworkSecurityGroup(peNsg);
+var privateEndpointsSubnet = vnet.AddSubnet("private-endpoints", "10.0.2.0/27")
+    .AllowInbound(port: "443", from: "VirtualNetwork", protocol: SecurityRuleProtocol.Tcp)
+    .DenyInbound(from: "Internet");
 
 // Configure the Container App Environment to use the VNet
 builder.AddAzureContainerAppEnvironment("env")

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/aspire-manifest.json

@@ -5,13 +5,23 @@
       "type": "azure.bicep.v0",
       "path": "vnet.module.bicep",
       "params": {
-        "nat_outputs_id": "{nat.outputs.id}"
+        "nat_outputs_id": "{nat.outputs.id}",
+        "container_apps_nsg_outputs_id": "{container-apps-nsg.outputs.id}",
+        "private_endpoints_nsg_outputs_id": "{private-endpoints-nsg.outputs.id}"
       }
     },
+    "container-apps-nsg": {
+      "type": "azure.bicep.v0",
+      "path": "container-apps-nsg.module.bicep"
+    },
     "nat": {
       "type": "azure.bicep.v0",
       "path": "nat.module.bicep"
     },
+    "private-endpoints-nsg": {
+      "type": "azure.bicep.v0",
+      "path": "private-endpoints-nsg.module.bicep"
+    },
     "env-acr": {
       "type": "azure.bicep.v0",
       "path": "env-acr.module.bicep"

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/container-apps-nsg.module.bicep

@@ -0,0 +1,59 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource container_apps_nsg_allow_inbound_443_AzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-inbound-443-AzureLoadBalancer'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: 'AzureLoadBalancer'
+    sourcePortRange: '*'
+  }
+  parent: container_apps_nsg
+}
+
+resource container_apps_nsg_deny_inbound_VirtualNetwork 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-inbound-VirtualNetwork'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 200
+    protocol: '*'
+    sourceAddressPrefix: 'VirtualNetwork'
+    sourcePortRange: '*'
+  }
+  parent: container_apps_nsg
+}
+
+resource container_apps_nsg_deny_inbound_Internet 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-inbound-Internet'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 300
+    protocol: '*'
+    sourceAddressPrefix: 'Internet'
+    sourcePortRange: '*'
+  }
+  parent: container_apps_nsg
+}
+
+resource container_apps_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('container_apps_nsg-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+  tags: {
+    'aspire-resource-name': 'container-apps-nsg'
+  }
+}
+
+output id string = container_apps_nsg.id
+
+output name string = container_apps_nsg.name

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/private-endpoints-nsg.module.bicep

@@ -0,0 +1,44 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource private_endpoints_nsg_allow_inbound_443_VirtualNetwork 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-inbound-443-VirtualNetwork'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: 'VirtualNetwork'
+    sourcePortRange: '*'
+  }
+  parent: private_endpoints_nsg
+}
+
+resource private_endpoints_nsg_deny_inbound_Internet 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-inbound-Internet'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 200
+    protocol: '*'
+    sourceAddressPrefix: 'Internet'
+    sourcePortRange: '*'
+  }
+  parent: private_endpoints_nsg
+}
+
+resource private_endpoints_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('private_endpoints_nsg-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+  tags: {
+    'aspire-resource-name': 'private-endpoints-nsg'
+  }
+}
+
+output id string = private_endpoints_nsg.id
+
+output name string = private_endpoints_nsg.name

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/vnet.module.bicep

@@ -3,6 +3,10 @@ param location string = resourceGroup().location
 
 param nat_outputs_id string
 
+param container_apps_nsg_outputs_id string
+
+param private_endpoints_nsg_outputs_id string
+
 resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' = {
   name: take('vnet-${uniqueString(resourceGroup().id)}', 64)
   properties: {
@@ -18,91 +22,6 @@ resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' = {
   }
 }
 
-resource aca_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
-  name: take('aca_nsg-${uniqueString(resourceGroup().id)}', 80)
-  location: location
-}
-
-resource aca_nsg_allow_https_from_azure_lb 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
-  name: 'allow-https-from-azure-lb'
-  properties: {
-    access: 'Allow'
-    destinationAddressPrefix: '*'
-    destinationPortRange: '443'
-    direction: 'Inbound'
-    priority: 100
-    protocol: 'Tcp'
-    sourceAddressPrefix: 'AzureLoadBalancer'
-    sourcePortRange: '*'
-  }
-  parent: aca_nsg
-}
-
-resource aca_nsg_deny_vnet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
-  name: 'deny-vnet-inbound'
-  properties: {
-    access: 'Deny'
-    destinationAddressPrefix: '*'
-    destinationPortRange: '*'
-    direction: 'Inbound'
-    priority: 110
-    protocol: '*'
-    sourceAddressPrefix: 'VirtualNetwork'
-    sourcePortRange: '*'
-  }
-  parent: aca_nsg
-}
-
-resource aca_nsg_deny_internet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
-  name: 'deny-internet-inbound'
-  properties: {
-    access: 'Deny'
-    destinationAddressPrefix: '*'
-    destinationPortRange: '*'
-    direction: 'Inbound'
-    priority: 4096
-    protocol: '*'
-    sourceAddressPrefix: 'Internet'
-    sourcePortRange: '*'
-  }
-  parent: aca_nsg
-}
-
-resource pe_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
-  name: take('pe_nsg-${uniqueString(resourceGroup().id)}', 80)
-  location: location
-}
-
-resource pe_nsg_allow_https_from_vnet 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
-  name: 'allow-https-from-vnet'
-  properties: {
-    access: 'Allow'
-    destinationAddressPrefix: '*'
-    destinationPortRange: '443'
-    direction: 'Inbound'
-    priority: 100
-    protocol: 'Tcp'
-    sourceAddressPrefix: 'VirtualNetwork'
-    sourcePortRange: '*'
-  }
-  parent: pe_nsg
-}
-
-resource pe_nsg_deny_all_internet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
-  name: 'deny-all-internet-inbound'
-  properties: {
-    access: 'Deny'
-    destinationAddressPrefix: '*'
-    destinationPortRange: '*'
-    direction: 'Inbound'
-    priority: 4096
-    protocol: '*'
-    sourceAddressPrefix: 'Internet'
-    sourcePortRange: '*'
-  }
-  parent: pe_nsg
-}
-
 resource container_apps 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' = {
   name: 'container-apps'
   properties: {
@@ -119,7 +38,7 @@ resource container_apps 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' =
       id: nat_outputs_id
     }
     networkSecurityGroup: {
-      id: aca_nsg.id
+      id: container_apps_nsg_outputs_id
     }
   }
   parent: vnet
@@ -130,7 +49,7 @@ resource private_endpoints 'Microsoft.Network/virtualNetworks/subnets@2025-05-01
   properties: {
     addressPrefix: '10.0.2.0/27'
     networkSecurityGroup: {
-      id: pe_nsg.id
+      id: private_endpoints_nsg_outputs_id
     }
   }
   parent: vnet