Update subnet and NSG rules for container apps

CWade3051 · CWade3051 · commit 008e6efacd71 · 2025-08-04T16:32:25.000-04:00
Changed container apps subnet address prefix from '10.0.0.0/21' to '10.0.16.0/21' in network-isolation.bicep and related NSG rules. Added Google DNS IP (8.8.8.8) to Cosmos DB ipRules in main.bicep for public network access.
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -878,7 +878,9 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.6.1' = if (use
     enableFreeTier: cosmosDbSkuName == 'free'
     capabilitiesToAdd: cosmosDbSkuName == 'serverless' ? ['EnableServerless'] : []
     networkRestrictions: {
-      ipRules: []
+      ipRules: [
+        '8.8.8.8'           // Google DNS (publicly routable)
+      ]
       networkAclBypass: bypass
       publicNetworkAccess: publicNetworkAccess
       virtualNetworkRules: []
diff --git a/infra/network-isolation.bicep b/infra/network-isolation.bicep
@@ -39,7 +39,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
           sourcePortRange: '*'
           sourceAddressPrefix: 'AzureLoadBalancer'
           destinationPortRange: '30000-32767'
-          destinationAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationAddressPrefix: '10.0.16.0/21' // Container apps subnet
           access: 'Allow'
           priority: 100
           direction: 'Inbound'
@@ -51,7 +51,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '443'
           destinationAddressPrefix: 'MicrosoftContainerRegistry'
           access: 'Allow'
@@ -64,7 +64,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '443'
           destinationAddressPrefix: 'AzureFrontDoor.FirstParty'
           access: 'Allow'
@@ -77,9 +77,9 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: '*'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '*'
-          destinationAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          destinationAddressPrefix: '10.0.16.0/21' // Container apps subnet
           access: 'Allow'
           priority: 120
           direction: 'Outbound'
@@ -90,7 +90,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '443'
           destinationAddressPrefix: 'AzureActiveDirectory'
           access: 'Allow'
@@ -103,7 +103,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '443'
           destinationAddressPrefix: 'AzureMonitor'
           access: 'Allow'
@@ -116,7 +116,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: '*'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '53'
           destinationAddressPrefix: '168.63.129.16'
           access: 'Allow'
@@ -129,7 +129,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: '10.0.0.0/21' // Container apps subnet
+          sourceAddressPrefix: '10.0.16.0/21' // Container apps subnet
           destinationPortRange: '443'
           destinationAddressPrefix: 'Storage.${location}'
           access: 'Allow'
@@ -284,7 +284,7 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {
         : [
             {
               name: containerAppsSubnetName
-              addressPrefix: '10.0.0.0/21'
+              addressPrefix: '10.0.16.0/21'
               delegation: 'Microsoft.App/environments'
               networkSecurityGroupResourceId: containerAppsNSG!.outputs.resourceId
             }
