Merge pull request #255944 from cachai2/NsgFix

Jill Grant · web-flow · commit 2afcccf9a944 · 2023-10-26T21:56:08.000-06:00
Nsg fix
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -251,7 +251,7 @@
           href: waf-app-gateway.md
         - name: Enable User Defined Routes (UDR)
           href: user-defined-routes.md
-        - name: Securing a custom VNET
+        - name: Securing a custom VNET with an NSG
           href: firewall-integration.md
     - name: Network proxying
       href: network-proxy.md
diff --git a/articles/container-apps/firewall-integration.md b/articles/container-apps/firewall-integration.md
@@ -16,57 +16,75 @@ Network Security Groups (NSGs) needed to configure virtual networks closely rese
 
 You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container Apps environment at the subscription level.
 
-In the workload profiles environment, user-defined routes (UDRs) and securing outbound traffic with a firewall are supported. When using an external workload profiles environment, inbound traffic to Container Apps that use external ingress routes through the public IP that exists in the [managed resource group](./networking.md#workload-profiles-environment-1) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment is not supported. For more information, see [Networking in Azure Container Apps environments](./networking.md#user-defined-routes-udr).
+In the workload profiles environment, user-defined routes (UDRs) and [securing outbound traffic with a firewall](./networking.md#configuring-udr-with-azure-firewall) are supported. When using an external workload profiles environment, inbound traffic to Azure Container Apps is routed through the public IP that exists in the [managed resource group](./networking.md#workload-profiles-environment-1) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment isn't supported. For more information, see [Networking in Azure Container Apps environments](./networking.md#user-defined-routes-udr).
 
 In the Consumption only environment, custom user-defined routes (UDRs) and ExpressRoutes aren't supported.
 
 ## NSG allow rules
 
-The following tables describe how to configure a collection of NSG allow rules.
->[!NOTE]
-> The subnet associated with a Container App Environment on the Consumption only environment requires a CIDR prefix of `/23` or larger. On the workload profiles environment (preview), a `/27` or larger is required.
+The following tables describe how to configure a collection of NSG allow rules. The specific rules required depend on your [environment type](./environment.md#types).
 
 ### Inbound
 
-| Protocol | Port | ServiceTag | Description |
-|--|--|--|--|
-| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |
-| Any | \* | AzureLoadBalancer | Allow the Azure infrastructure load balancer to communicate with your environment. |
+# [Workload profiles environment](#tab/workload-profiles-env)
 
-### Outbound with service tags
+>[!Note]
+> When using workload profiles, inbound NSG rules only apply for traffic going through your virtual network. If your container apps are set to accept traffic from the public internet, incoming traffic will go through the public endpoint instead of the virtual network.
 
-The following service tags are required when using NSGs on the Consumption only environment:
+| Protocol | Source | Source Ports | Destination | Destination Ports | Description |
+|--|--|--|--|--|--|
+| TCP | Your Client IPs | \* | Your container app's subnet<sup>1</sup> | `443`, `30,000-32,676`<sup>2</sup> | Allow your Client IPs to access Azure Container Apps. |
+| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30,000-32,676`<sup>2</sup> | Allow Azure Load Balancer to probe backend pools. | 
 
-| Protocol | Port | ServiceTag | Description
-|--|--|--|--|
-| UDP | `1194` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
-| TCP | `9000` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
-| TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. |
+# [Consumption only environment](#tab/consumption-only-env)
 
-The following service tags are required when using NSGs on the workload profiles environment:
+| Protocol | Source | Source Ports | Destination | Destination Ports | Description |
+|--|--|--|--|--|--|
+| TCP | Your Client IPs | \* | Your container app's subnet<sup>1</sup> | `443` | Allow your Client IPs to access Azure Container Apps.  |
+| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30,000-32,676`<sup>2</sup> | Allow Azure Load Balancer to probe backend pools. | 
+
+---
+
+<sup>1</sup> This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`.   
+<sup>2</sup> The full range is required when creating your Azure Container Apps as a port within the range will by dynamically allocated. Once created, the required ports are 2 immutable, static values, and you can update your NSG rules.
 
->[!Note]
-> If you are using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Container Apps to pull images through the virtual network.
 
-| Protocol | Port | Service Tag | Description
-|--|--|--|--|
-| TCP | `443` | `MicrosoftContainerRegistry` | This is the service tag for container registry for microsoft containers. |
-| TCP | `443` | `AzureFrontDoor.FirstParty` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |
+### Outbound 
 
-### Outbound with wild card IP rules
+# [Workload profiles environment](#tab/workload-profiles-env)
+
+| Protocol | Source | Source Ports | Destination | Destination Ports | Description |
+|--|--|--|--|--|--|
+| TCP | Your container app's subnet<sup>1</sup> | \* | Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port will be your container registry's port unless using private endpoints.<sup>2</sup> |
+| TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Allows outbound calls to Azure Monitor. |
+| TCP | Your container app's subnet | \* | `MicrosoftContainerRegistry` | `443` | This is the service tag for Microsoft container registry for system containers. |
+| TCP | Your container app's subnet | \* | `AzureFrontDoor.FirstParty` | `443` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |
+| UDP | Your container app's subnet | \* | \* | `123` | NTP server. |
+| Any | Your container app's subnet | \* | Your container app's subnet | \* |  Allow communication between IPs in your container app's subnet.  |
+| TCP | Your container app's subnet | \* | `AzureActiveDirectory` | `443` | If you're using managed identity, this is required. | 
+
+# [Consumption only environment](#tab/consumption-only-env)
+
+| Protocol | Source | Source Ports | Destination | Destination Ports | Description |
+|--|--|--|--|--|--|
+| TCP | Your container app's subnet<sup>1</sup> | \* | Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port will be your container registry's port unless using private endpoints.<sup>2</sup> |
+| UDP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `1194` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
+| TCP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `9000` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
+| TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Allows outbound calls to Azure Monitor. |
+| TCP | Your container app's subnet | \* | `AzureCloud` | `443` | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. | 
+| UDP | Your container app's subnet | \* | \* | `123` | NTP server. |
+| TCP | Your container app's subnet | \* | \* | `5671` | Container Apps control plane. |
+| TCP | Your container app's subnet | \* | \* | `5672` | Container Apps control plane. |
+| Any | Your container app's subnet | \* | Your container app's subnet | \* |  Allow communication between IPs in your container app's subnet. |
+
+---
 
-The following IP rules are required when using NSGs on both the Consumption only environment and the workload profiles environment:
+<sup>1</sup> This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`.  
+<sup>2</sup> If you're using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Azure Container Apps to pull images through the virtual network. You don't need to add an NSG rule for ACR when configured with private endpoints.
 
-| Protocol | Port | IP | Description |
-|--|--|--|--|
-| TCP | `443` | \* | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
-| UDP | `123` | \* | NTP server. |
-| TCP | `5671` | \* | Container Apps control plane. |
-| TCP | `5672` | \* | Container Apps control plane. |
-| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |
 
 #### Considerations
 
 - If you're running HTTP servers, you might need to add ports `80` and `443`.
-- Adding deny rules for some ports and protocols with lower priority than `65000` may cause service interruption and unexpected behavior.
+- Adding deny rules for some ports and protocols with lower priority than `65000` might cause service interruption and unexpected behavior.
 - Don't explicitly deny the Azure DNS address `168.63.128.16` in the outgoing NSG rules, or your Container Apps environment won't be able to function.
diff --git a/articles/container-apps/user-defined-routes.md b/articles/container-apps/user-defined-routes.md
@@ -20,7 +20,7 @@ Azure creates a default route table for your virtual networks on create. By impl
 
 You can also use a NAT gateway or any other third party appliances instead of Azure Firewall.
 
-For more information on networking concepts in Container Apps, see [Networking Environment in Azure Container Apps](./networking.md).
+See the [configuring UDR with Azure Firewall](./networking.md#configuring-udr-with-azure-firewall) in [networking in Azure Container Apps](./networking.md) for more information.
 
 ## Prerequisites
 
@@ -66,7 +66,7 @@ A subnet called **AzureFirewallSubnet** is required in order to deploy a firewal
     | **Virtual network** | Select the integrated virtual network. |
     | **Public IP address** | Select an existing address or create one by selecting **Add new**. |
 
-1. Select **Review + create**. After validation finishes, select **Create**. The validation step may take a few minutes to complete.
+1. Select **Review + create**. After validation finishes, select **Create**. The validation step might take a few minutes to complete.
 
 1. Once the deployment completes, select **Go to Resource**.
 
