Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to integrate your Azure Container Apps environment with Azure Firewall by using user-defined routes (UDR). By using UDR, you can control how traffic is routed within your virtual network. You can route all outbound traffic from your container apps through Azure Firewall, which provides a central point for monitoring traffic and applying security policies. This setup helps protect your container apps from potential threats. It also helps you meet compliance requirements by providing detailed logs and monitoring capabilities.
User-defined routes (UDR)
User-defined routes (UDR) and controlled egress through NAT Gateway are supported only in a workload profiles environment.
Use UDR to restrict outbound traffic from your container app through Azure Firewall or other network appliances. For more information, see Control outbound traffic in Azure Container Apps with user defined routes.
You configure UDR outside of the Container Apps environment scope.
Azure creates a default route table for your virtual networks when you create them. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. For example, you can create a UDR that restricts outbound traffic from your container app by routing it to Azure Firewall.
When you use UDR with Azure Firewall in Azure Container Apps, add the following application or network rules to the allow list for your firewall, depending on which resources you're using.
Note
You only need to configure either application rules or network rules, depending on your system's requirements. Configuring both at the same time isn't necessary.
Application rules
Application rules allow or deny traffic based on the application layer. The following outbound firewall application rules are required based on the scenario.
| Scenarios | FQDNs | Description |
|---|---|---|
| All scenarios | mcr.microsoft.com, *.data.mcr.microsoft.com |
These FQDNs for Microsoft Container Registry (MCR) are used by Azure Container Apps. Either these application rules or the network rules for MCR must be added to the allowlist when using Azure Container Apps with Azure Firewall. |
| All scenarios | packages.aks.azure.com, acs-mirror.azureedge.net |
These FQDNs are required by the underlying AKS cluster to download and install Kubernetes and Azure CNI binaries. Either these application rules or the network rules for MCR must be added to the allowlist when using Azure Container Apps with Azure Firewall. For more information, see the Azure Global required FQDN / application rules |
| Azure Container Registry (ACR) | Your-ACR-address, *.blob.core.windows.net, login.microsoft.com |
These FQDNs are required when using Azure Container Apps with ACR and Azure Firewall. |
| Azure Key Vault | Your-Azure-Key-Vault-address, login.microsoft.com |
These FQDNs are required in addition to the service tag required for the network rule for Azure Key Vault. |
| Managed Identity | *.identity.azure.net, login.microsoftonline.com, *.login.microsoftonline.com, *.login.microsoft.com |
These FQDNs are required when using managed identity with Azure Firewall in Azure Container Apps. |
| Docker Hub Registry | hub.docker.com, registry-1.docker.io, production.cloudflare.docker.com |
If you're using Docker Hub registry and want to access it through the firewall, add these FQDNs to the firewall. |
Network rules
Network rules allow or deny traffic based on the network and transport layer. When you use UDR with Azure Firewall in Azure Container Apps, add the following outbound firewall network rules based on the scenario.
| Scenarios | Service Tag | Description |
|---|---|---|
| All scenarios | MicrosoftContainerRegistry, AzureFrontDoorFirstParty |
Azure Container Apps uses these service tags for Microsoft Container Registry (MCR). To allow Azure Container Apps to use MCR, add either these network rules or the application rules for MCR to the allowlist when using Azure Container Apps with Azure Firewall. |
| Azure Container Registry (ACR) | AzureContainerRegistry, AzureActiveDirectory |
When you use ACR with Azure Container Apps, configure these network rules used by Azure Container Registry. |
| Azure Key Vault | AzureKeyVault, AzureActiveDirectory |
These service tags are required in addition to the FQDN for the network rule for Azure Key Vault. |
| Managed Identity | AzureActiveDirectory |
When you use Managed Identity with Azure Container Apps, configure these network rules used by Managed Identity. |
| Azure Service Bus | ServiceBus |
Required when your container apps access Azure Service Bus using Azure Firewall and service tags. |
Note
For Azure resources you're using with Azure Firewall not listed in this article, please refer to the service tags documentation.