Control outbound traffic with user defined routes
Note
This feature is only supported for the workload profiles environment type.
This article shows you how to use user defined routes (UDR) with Azure Firewall to lock down outbound traffic from your Container Apps to back-end Azure resources or other network resources.
Azure creates a default route table for your virtual networks on create. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In this guide, your setup UDR on the Container Apps virtual network to restrict outbound traffic with Azure Firewall.
You can also use a NAT gateway or any other third party appliances instead of Azure Firewall.
See the configuring UDR with Azure Firewall in networking in Azure Container Apps for more information.
Prerequisites
Workload profiles environment: A workload profiles environment that's integrated with a custom virtual network. For more information, see the guide for how to create a container app environment on the workload profiles environment.
curl
support: Your container app must have a container that supportscurl
commands. In this how-to, you usecurl
to verify the container app is deployed correctly. If you don't have a container app withcurl
deployed, you can deploy the following container which supportscurl
,mcr.microsoft.com/k8se/quickstart:latest
.
Create the firewall subnet
A subnet called AzureFirewallSubnet is required in order to deploy a firewall into the integrated virtual network.
Open the virtual network that's integrated with your app in the Azure portal.
From the menu on the left, select Subnets, then select + Subnet.
Enter the following values:
Setting Action Name Enter AzureFirewallSubnet. Subnet address range Use the default or specify a subnet range /26 or larger. Select Save
Deploy the firewall
On the Azure portal menu or the Home page, select Create a resource.
Search for Firewall.
Select Firewall.
Select Create.
On the Create a Firewall page, configure the firewall with the following settings.
Setting Action Resource group Enter the same resource group as the integrated virtual network. Name Enter a name of your choice Region Select the same region as the integrated virtual network. Firewall policy Create one by selecting Add new. Virtual network Select the integrated virtual network. Public IP address Select an existing address or create one by selecting Add new. Select Review + create. After validation finishes, select Create. The validation step might take a few minutes to complete.
Once the deployment completes, select Go to Resource.
In the firewall's Overview page, copy the Firewall private IP. This IP address is used as the next hop address when creating the routing rule for the virtual network.
Route all traffic to the firewall
Your virtual networks in Azure have default route tables in place when you create the network. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In the following steps, you create a UDR to route all traffic to your Azure Firewall.
On the Azure portal menu or the Home page, select Create a resource.
Search for Route tables.
Select Route Tables.
Select Create.
Enter the following values:
Setting Action Region Select the region as your virtual network. Name Enter a name. Propagate gateway routes Select No Select Review + create. After validation finishes, select Create.
Once the deployment completes, select Go to Resource.
From the menu on the left, select Routes, then select Add to create a new route table
Configure the route table with the following settings:
Setting Action Address prefix Enter 0.0.0.0/0 Next hop type Select Virtual appliance Next hop address Enter the Firewall Private IP you saved in Deploy the firewall. Select Add to create the route.
From the menu on the left, select Subnets, then select Associate to associate your route table with the container app's subnet.
Configure the Associate subnet with the following values:
Setting Action Virtual network Select the virtual network for your container app. Subnet Select the subnet your for container app. Select OK.
Configure firewall policies
Note
When using UDR with Azure Firewall in Azure Container Apps, you will need to add certain FQDN's and service tags to the allowlist for the firewall. Please refer to configuring UDR with Azure Firewall to determine which service tags you need.
Now, all outbound traffic from your container app is routed to the firewall. Currently, the firewall still allows all outbound traffic through. In order to manage what outbound traffic is allowed or denied, you need to configure firewall policies.
In your Azure Firewall resource on the Overview page, select Firewall policy
From the menu on the left of the firewall policy page, select Application Rules.
Select Add a rule collection.
Enter the following values for the Rule Collection:
Setting Action Name Enter a collection name Rule collection type Select Application Priority Enter the priority such as 110 Rule collection action Select Allow Rule collection group Select DefaultApplicationRuleCollectionGroup Under Rules, enter the following values
Setting Action Name Enter a name for the rule Source type Select IP Address Source Enter * Protocol Enter http:80,https:443 Destination Type Select FQDN. Destination Enter mcr.microsoft.com
,*.data.mcr.microsoft.com
. If you're using ACR, add your ACR address and*.blob.core.chinacloudapi.cn
.Action Select Allow Note
If you are using Docker Hub registry and want to access it through your firewall, you will need to add the following FQDNs to your rules destination list: hub.docker.com, registry-1.docker.io, and production.cloudflare.docker.com.
Select Add.
Verify your firewall is blocking outbound traffic
To verify your firewall configuration is set up correctly, you can use the curl
command from your app's debugging console.
Navigate to your Container App that is configured with Azure Firewall.
From the menu on the left, select Console, then select your container that supports the
curl
command.In the Choose start up command menu, select /bin/sh, and select Connect.
In the console, run
curl -s https://mcr.microsoft.com
. You should see a successful response as you addedmcr.microsoft.com
to the allowlist for your firewall policies.Run
curl -s https://<FQDN_ADDRESS>
for a URL that doesn't match any of your destination rules such asexample.com
. The example command would becurl -s https://example.com
. You should get no response, which indicates that your firewall has blocked the request.