updated

cheng zhe · craigshoemaker · commit 988928d31b44 · 2026-04-01T14:11:03.000-06:00
diff --git a/articles/container-apps/firewall-integration.md b/articles/container-apps/firewall-integration.md
@@ -84,13 +84,13 @@ The following tables describe how to configure a collection of NSG allow rules.
 | UDP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `1194` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
 | TCP | Your container app's subnet | \* | `AzureCloud.<REGION>` | `9000` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
 | TCP | Your container app's subnet | \* | `AzureCloud` | `443` | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. | 
+| TCP | Your container app's subnet | \* | `EventHub.<Region>` | `5671`, `5672` | This is a dependency of the `EventHub` service tag. |
 | UDP | Your container app's subnet | \* | \* | `123` | NTP server. |
 | Any | Your container app's subnet | \* | Your container app's subnet | \* |  Allow communication between IPs in your container app's subnet. |
 | TCP and UDP | Your container app's subnet | \* | `168.63.129.16` | `53` | Enables the environment to use Azure DNS to resolve the hostname. <br><br>**Note**: DNS communication to Azure DNS isn't subject to NSGs unless targeted using the `AzurePlatformDNS` service tag. To block DNS traffic, create an outbound rule to deny traffic to the `AzurePlatformDNS` service tag.|
 | TCP | Your container app's subnet<sup>1</sup> | \* | Your Container Registry | Your container registry's port | This is required to communicate with your container registry. For example, when using ACR, you need `AzureContainerRegistry` and `AzureActiveDirectory` for the destination, and the port is your container registry's port unless using private endpoints.<sup>2</sup> |
 | TCP | Your container app's subnet | \* | `Storage.<Region>` | `443` | Only required when using `Azure Container Registry` to host your images. |
 | TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |
-| TCP | Your container app's subnet | \* | `EventHub.<Region>` | `5671`, `5672` | This is a dependency of the `EventHub` service tag. |
 
 ---
 
