Skip to content

Disable external ingress#

Security · Container App · Rule · 2023_03 · Important

Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.

Description#

Inbound access to a Container App is configured by enabling ingress. Container Apps can be configured to allow external ingress or not. External ingress permits communication outside the Container App environment from a private VNET or the Internet. To restrict communication to a private VNET your Container App Environment must be:

  • Configured with a custom VNET.
  • Configured with an internal load balancer.

Applications that do batch processing or consume events may not require ingress to be enabled. If communication outside your Container Apps Environment is not required, disable external ingress.

Recommendation#

Consider disabling external ingress.

Examples#

Configure with Azure template#

To deploy Container Apps that pass this rule:

  • Set properties.configuration.ingress.external to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2024-03-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
    "template": {
      "revisionSuffix": "[parameters('revision')]",
      "containers": "[variables('containers')]",
      "scale": {
        "minReplicas": 2
      }
    },
    "configuration": {
      "ingress": {
        "allowInsecure": false,
        "external": false,
        "ipSecurityRestrictions": "[variables('ipSecurityRestrictions')]",
        "stickySessions": {
          "affinity": "none"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
  ]
}

Configure with Bicep#

To deploy Container Apps that pass this rule:

  • Set properties.configuration.ingress.external to false.

For example:

Azure Bicep snippet
resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    environmentId: containerEnv.id
    template: {
      revisionSuffix: revision
      containers: containers
      scale: {
        minReplicas: 2
      }
    }
    configuration: {
      ingress: {
        allowInsecure: false
        external: false
        ipSecurityRestrictions: ipSecurityRestrictions
        stickySessions: {
          affinity: 'none'
        }
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/app/container-app:<version>

For example:

br/public:avm/res/app/container-app:0.11.0

To use the latest version:

br/public:avm/res/app/container-app:0.9.0

Notes#

This rule is skipped by default because there are common cases where external ingress is required. If you don't need external ingress, enable this rule by:

  • Setting the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to true.

Comments