Customer responsibilities for running Azure Spring Apps in VNET
Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
This article applies to: ✔️ Basic/Standard tier ✔️ Enterprise tier
This article includes specifications for the use of Azure Spring Apps in a virtual network.
When Azure Spring Apps is deployed in your virtual network, it has outbound dependencies on services outside of the virtual network. For management and operational purposes, Azure Spring Apps must access certain ports and fully qualified domain names (FQDNs). Azure Spring Apps requires these endpoints to communicate with the management plane and to download and install core Kubernetes cluster components and security updates.
By default, Azure Spring Apps has unrestricted outbound (egress) internet access. This level of network access allows applications you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible for maintenance tasks. The simplest solution to secure outbound addresses is use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Azure Spring Apps resource requirements
The following list shows the resource requirements for Azure Spring Apps services. As a general requirement, you shouldn't modify resource groups created by Azure Spring Apps and the underlying network resources.
- Don't modify resource groups created and owned by Azure Spring Apps.
- By default, these resource groups are named as
- Don't block Azure Spring Apps from updating resources in these resource groups.
- By default, these resource groups are named as
- Don't modify subnets used by Azure Spring Apps.
- Don't create more than one Azure Spring Apps service instance in the same subnet.
- When using a firewall to control traffic, don't block the following egress traffic to Azure Spring Apps components that operate, maintain, and support the service instance.
Azure Spring Apps network requirements
|*:1194 or ServiceTag - AzureCloud:1194||UDP:1194||Underlying Kubernetes Cluster management.|
|*:443 or ServiceTag - AzureCloud:443||TCP:443||Azure Spring Apps Service Management.||Information of service instance "requiredTraffics" could be known in resource payload, under "networkProfile" section.|
|*:123 or ntp.ubuntu.com:123||UDP:123||NTP time synchronization on Linux nodes.|
|*.azurecr.io:443 or ServiceTag - AzureContainerRegistry:443||TCP:443||Azure Container Registry.||Can be replaced by enabling Azure Container Registry service endpoint in virtual network.|
|*.core.windows.net:443 and *.core.windows.net:445 or ServiceTag - Storage:443 and Storage:445||TCP:443, TCP:445||Azure Files||Can be replaced by enabling Azure Storage service endpoint in virtual network.|
|*.servicebus.windows.net:443 or ServiceTag - EventHub:443||TCP:443||Azure Event Hubs.||Can be replaced by enabling Azure Event Hubs service endpoint in virtual network.|
Azure Spring Apps FQDN requirements/application rules
Azure Firewall provides the FQDN tag AzureKubernetesService to simplify the following configurations:
|*.azmk8s.io||HTTPS:443||Underlying Kubernetes Cluster management.|
|mcr.microsoft.com||HTTPS:443||Microsoft Container Registry (MCR).|
|*.cdn.mscr.io||HTTPS:443||MCR storage backed by the Azure CDN.|
|*.data.mcr.microsoft.com||HTTPS:443||MCR storage backed by the Azure CDN.|
|management.azure.com||HTTPS:443||Underlying Kubernetes Cluster management.|
|*login.microsoftonline.com||HTTPS:443||Azure Active Directory authentication.|
|*login.microsoft.com||HTTPS:443||Azure Active Directory authentication.|
|packages.microsoft.com||HTTPS:443||Microsoft packages repository.|
|acs-mirror.azureedge.net||HTTPS:443||Repository required to install required binaries like kubenet and Azure CNI.|
|mscrl.microsoft.com1||HTTPS:80||Required Microsoft Certificate Chain Paths.|
|crl.microsoft.com1||HTTPS:80||Required Microsoft Certificate Chain Paths.|
|crl3.digicert.com1||HTTPS:80||Third-Party TLS/SSL Certificate Chain Paths.|
1 Please note that these FQDNs aren't included in the FQDN tag.
Azure Spring Apps optional FQDN for third-party application performance management
|collector*.newrelic.com||TCP:443/80||Required networks of New Relic APM agents from US region, also see APM Agents Networks.|
|collector*.eu01.nr-data.net||TCP:443/80||Required networks of New Relic APM agents from EU region, also see APM Agents Networks.|
|*.live.dynatrace.com||TCP:443||Required network of Dynatrace APM agents.|
|*.live.ruxit.com||TCP:443||Required network of Dynatrace APM agents.|
|*.saas.appdynamics.com||TCP:443/80||Required network of AppDynamics APM agents, also see SaaS Domains and IP Ranges.|
Submit and view feedback for