Edit

Share via


Customer responsibilities for running Azure Spring Apps in a virtual network

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.

This article applies to: ✅ Basic/Standard ✅ Enterprise

This article includes specifications for the use of Azure Spring Apps in a virtual network.

When Azure Spring Apps is deployed in your virtual network, it has outbound dependencies on services outside of the virtual network. For management and operational purposes, Azure Spring Apps must access certain ports and fully qualified domain names (FQDNs). Azure Spring Apps requires these endpoints to communicate with the management plane and to download and install core Kubernetes cluster components and security updates.

By default, Azure Spring Apps has unrestricted outbound (egress) internet access. This level of network access allows applications you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible for maintenance tasks. The simplest solution to secure outbound addresses is use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.

Azure Spring Apps resource requirements

The following list shows the resource requirements for Azure Spring Apps services. As a general requirement, you shouldn't modify resource groups created by Azure Spring Apps and the underlying network resources.

  • Don't modify resource groups created and owned by Azure Spring Apps.
    • By default, these resource groups are named ap-svc-rt_<service-instance-name>_<region>* and ap_<service-instance-name>_<region>*.
    • Don't block Azure Spring Apps from updating resources in these resource groups.
  • Don't modify subnets used by Azure Spring Apps.
  • Don't create more than one Azure Spring Apps service instance in the same subnet.
  • When using a firewall to control traffic, don't block the following egress traffic to Azure Spring Apps components that operate, maintain, and support the service instance.

Azure Global required network rules

Destination endpoint Port Use Note
*:443 or ServiceTag - AzureCloud:443 TCP:443 Azure Spring Apps Service Management. For information about the service instance requiredTraffics, see the resource payload, under the networkProfile section.
*.azurecr.io:443 or ServiceTag - AzureContainerRegistry:443 TCP:443 Azure Container Registry. Can be replaced by enabling the Azure Container Registry service endpoint in the virtual network.
*.core.windows.net:443 and *.core.windows.net:445 or ServiceTag - Storage:443 and Storage:445 TCP:443, TCP:445 Azure Files Can be replaced by enabling the Azure Storage service endpoint in the virtual network.
*.servicebus.windows.net:443 or ServiceTag - EventHub:443 TCP:443 Azure Event Hubs. Can be replaced by enabling the Azure Event Hubs service endpoint in the virtual network.
*.prod.microsoftmetrics.com:443 or ServiceTag - AzureMonitor:443 TCP:443 Azure Monitor. Allows outbound calls to Azure Monitor.

Azure Global required FQDN / application rules

Azure Firewall provides the FQDN tag AzureKubernetesService to simplify the following configurations:

Destination FQDN Port Use
*.azmk8s.io HTTPS:443 Underlying Kubernetes Cluster management.
mcr.microsoft.com HTTPS:443 Microsoft Container Registry (MCR).
*.data.mcr.microsoft.com HTTPS:443 MCR storage backed by the Azure CDN.
management.azure.com HTTPS:443 Underlying Kubernetes Cluster management.
login.microsoftonline.com HTTPS:443 Microsoft Entra authentication.
packages.microsoft.com HTTPS:443 Microsoft packages repository.
acs-mirror.azureedge.net HTTPS:443 Repository required to install required binaries like kubenet and Azure CNI.

Microsoft Azure operated by 21Vianet required network rules

Destination endpoint Port Use Note
*:443 or ServiceTag - AzureCloud:443 TCP:443 Azure Spring Apps Service Management. For information about the service instance requiredTraffics, see the resource payload, under the networkProfile section.
*.azurecr.cn:443 or ServiceTag - AzureContainerRegistry:443 TCP:443 Azure Container Registry. Can be replaced by enabling the Azure Container Registry service endpoint in the virtual network.
*.core.chinacloudapi.cn:443 and *.core.chinacloudapi.cn:445 or ServiceTag - Storage:443 and Storage:445 TCP:443, TCP:445 Azure Files Can be replaced by enabling the Azure Storage service endpoint in the virtual network.
*.servicebus.chinacloudapi.cn:443 or ServiceTag - EventHub:443 TCP:443 Azure Event Hubs. Can be replaced by enabling the Azure Event Hubs service endpoint in the virtual network.
*.prod.microsoftmetrics.com:443 or ServiceTag - AzureMonitor:443 TCP:443 Azure Monitor. Allows outbound calls to Azure Monitor.

Microsoft Azure operated by 21Vianet required FQDN / application rules

Azure Firewall provides the FQDN tag AzureKubernetesService to simplify the following configurations:

Destination FQDN Port Use
*.cx.prod.service.azk8s.cn HTTPS:443 Underlying Kubernetes Cluster management.
mcr.microsoft.com HTTPS:443 Microsoft Container Registry (MCR).
*.data.mcr.microsoft.com HTTPS:443 MCR storage backed by the Azure CDN.
management.chinacloudapi.cn HTTPS:443 Underlying Kubernetes Cluster management.
login.chinacloudapi.cn HTTPS:443 Microsoft Entra authentication.
packages.microsoft.com HTTPS:443 Microsoft packages repository.
*.azk8s.cn HTTPS:443 Repository required to install required binaries like kubenet and Azure CNI.

Azure Spring Apps optional FQDN for third-party application performance management

Destination FQDN Port Use
collector*.newrelic.com TCP:443/80 Required networks of New Relic APM agents from US region, also see APM Agents Networks.
collector*.eu01.nr-data.net TCP:443/80 Required networks of New Relic APM agents from EU region, also see APM Agents Networks.
*.live.dynatrace.com TCP:443 Required network of Dynatrace APM agents.
*.live.ruxit.com TCP:443 Required network of Dynatrace APM agents.
*.saas.appdynamics.com TCP:443/80 Required network of AppDynamics APM agents, also see SaaS Domains and IP Ranges.

Azure Spring Apps optional FQDN for Application Insights

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the Outgoing ports section of IP addresses used by Azure Monitor.

VirtualNetwork service tag

Azure network security groups can filter network traffic within an Azure virtual network. When you enable inbound network traffic using the VirtualNetwork service tag, it automatically includes all IP address ranges of the workload virtual network and any peered transit virtual networks.

For Azure Spring Apps running on Azure Kubernetes Service (AKS), the AKS infrastructure manages the IP address prefixes for workloads on all AKS node pools. These prefixes are implicitly included in the VirtualNetwork service tag. This design ensures that applications remain accessible within the virtual network, even if their IP addresses fall outside the defined IP range of the virtual network.

If you decide not to allow traffic using the VirtualNetwork service tag, you must configure specific rules to allow communication between the Azure Spring Apps service runtime subnet and the apps subnet. Furthermore, you need to explicitly allow traffic from the Azure Spring Apps reserved Classless Inter-Domain Routing (CIDR) range, which is used by the underlying AKS infrastructure. You can't add only part of the CIDR range to the allow list because the address prefix for workloads is dynamic.

Next steps