![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 69%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 77%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
oh Phillip, this is a classic azure firewall gotcha. you followed the docs to the letter, but then real world traffic throws a bunch of new FQDNs at you that are not in the guide.
you are absolutely right. the documentation for container apps and azure firewall is not fully comprehensive. those FQDNs you discovered are critical for the underlying container apps infrastructure to function, especially for image pulling and management operations. it is a documentation gap that they are not explicitly listed.
for your microsoft azure solution, you need to add application rules in your azure firewall to allow outbound traffic to these newly discovered FQDNs. based on your list, you will need to create rules for.
acs-mirror.azureedge.net - this is for container image pulls.
management.azure.com - this is for control plane communication.
*.servicebus.windows.net - use a wildcard for servicebus. this is used for internal messaging and logging.
packages.aks.azure.com - this is for core kubernetes components.
the reason you see these for aks and not container apps is because container apps is built on aks. it uses the same underlying plumbing, so it needs the same endpoints https://learn.microsoft.com/azure/aks/limit-egress-traffic
the servicebus call is likely coming from the container apps runtime itself, not your github runner. the platform uses it for internal coordination. adding a wildcard rule for *.servicebus.windows.net should resolve that block.
when building firewall rules for a new azure service, enable logging and set a wide allow rule initially. watch the logs for a few days to see all the FQDNs that are being hit. then, build your specific deny rules based on that real traffic. it is a more reliable way to find all the required endpoints.
use fully qualified domain name (fqdn) tags in your firewall rules when available. for example, there is an 'azurekuberneteservice' tag that bundles many of the necessary aks endpoints. check if there is a similar tag for container apps.
Best regards,
Alex
and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer