Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise
This article describes the customer responsibilities for running an Azure Spring Apps Standard consumption and dedicated plan service instance in a virtual network.
Use Network Security Groups (NSGs) to configure virtual networks to conform to the settings required by Kubernetes.
To control all inbound and outbound traffic for the Azure Container Apps environment, you can use NSGs to lock down a network with more restrictive rules than the default NSG rules.
NSG allow rules
The following tables describe how to configure a collection of NSG allow rules.
Note
The subnet associated with a Azure Container Apps environment requires a CIDR prefix of /23 or larger.
Outbound with ServiceTags
| Protocol | Port | ServiceTag | Description |
|---|---|---|---|
| UDP | 1194 |
AzureCloud.<region> |
Required for internal Azure Kubernetes Service (AKS) secure connection between underlying nodes and the control plane. Replace <region> with the region where your container app is deployed. |
| TCP | 9000 |
AzureCloud.<region> |
Required for internal AKS secure connection between underlying nodes and the control plane. Replace <region> with the region where your container app is deployed. |
| TCP | 443 |
AzureMonitor |
Allows outbound calls to Azure Monitor. |
| TCP | 443 |
Azure Container Registry |
Enables the Azure Container Registry as described in Virtual network service endpoints. |
| TCP | 443 |
MicrosoftContainerRegistry |
The service tag for container registry for Microsoft containers. |
| TCP | 443 |
AzureFrontDoor.FirstParty |
A dependency of the MicrosoftContainerRegistry service tag. |
| TCP | 443, 445 |
Azure Files |
Enables Azure Storage as described in Virtual network service endpoints. |
Outbound with wild card IP rules
| Protocol | Port | IP | Description |
|---|---|---|---|
| TCP | 443 |
* | Set all outbound traffic on port 443 to allow all fully qualified domain name (FQDN) based outbound dependencies that don't have a static IP. |
| UDP | 123 |
* | NTP server. |
| TCP | 5671 |
* | Container Apps control plane. |
| TCP | 5672 |
* | Container Apps control plane. |
| Any | * | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment - for example, 10.0.0.0/21. |
Outbound with FQDN requirements/application rules
| Protocol | Port | FQDN | Description |
|---|---|---|---|
| TCP | 443 |
mcr.microsoft.com |
Microsoft Container Registry (MCR). |
| TCP | 443 |
*.cdn.mscr.io |
MCR storage backed by the Azure Content Delivery Network (CDN). |
| TCP | 443 |
*.data.mcr.microsoft.com |
MCR storage backed by the Azure CDN. |
Outbound with FQDN for third-party application performance management (optional)
| Protocol | Port | FQDN | Description |
|---|---|---|---|
| TCP | 443/80 |
collector*.newrelic.com |
The required networks of New Relic application and performance monitoring (APM) agents from the US region. See APM Agents Networks. |
| TCP | 443/80 |
collector*.eu01.nr-data.net |
The required networks of New Relic APM agents from the EU region. See APM Agents Networks. |
| TCP | 443 |
*.live.dynatrace.com |
The required network of Dynatrace APM agents. |
| TCP | 443 |
*.live.ruxit.com |
The required network of Dynatrace APM agents. |
| TCP | 443/80 |
*.saas.appdynamics.com |
The required network of AppDynamics APM agents. See SaaS Domains and IP Ranges. |
Considerations
- If you're running HTTP servers, you might need to add ports
80and443. - Adding deny rules for some ports and protocols with lower priority than
65000may cause service interruption and unexpected behavior.