Skip to content

Disable public access#

Security · Container App · Rule · 2023_03 · Important

Ensure public network access for Container Apps environment is disabled.

Description#

Container apps environments allows you to expose your container app to the Internet.

Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.

Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.

This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.

To provide secure access externally, instead consider using:

  • An Application Gateway in front of your Container Apps using your private VNET.
  • A Azure Front Door premium profile with private link to your Container Apps. This currently only applies to Container Apps using consumption without workload profiles.

Recommendation#

Consider disabling public network access by deploying an internal-only container apps to reduce the attack surface.

Examples#

Configure with Azure template#

To deploy Container Apps environments that pass this rule:

  • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
  • Set properties.vnetConfiguration.internal to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.App/managedEnvironments",
  "apiVersion": "2024-03-01",
  "name": "[parameters('envName')]",
  "location": "[parameters('location')]",
  "properties": {
    "appLogsConfiguration": {
      "destination": "log-analytics",
      "logAnalyticsConfiguration": {
        "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').customerId]",
        "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').primarySharedKey]"
      }
    },
    "zoneRedundant": true,
    "workloadProfiles": [
      {
        "name": "Consumption",
        "workloadProfileType": "Consumption"
      }
    ],
    "vnetConfiguration": {
      "infrastructureSubnetId": "[parameters('subnetId')]",
      "internal": true
    }
  }
}

Configure with Bicep#

To deploy Container Apps environments that pass this rule:

  • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
  • Set properties.vnetConfiguration.internal to true.

For example:

Azure Bicep snippet
resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = {
  name: envName
  location: location
  properties: {
    appLogsConfiguration: {
      destination: 'log-analytics'
      logAnalyticsConfiguration: {
        customerId: workspace.properties.customerId
        sharedKey: workspace.listKeys().primarySharedKey
      }
    }
    zoneRedundant: true
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
    vnetConfiguration: {
      infrastructureSubnetId: subnetId
      internal: true
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/app/managed-environment:<version>

For example:

br/public:avm/res/app/managed-environment:0.8.0

To use the latest version:

br/public:avm/res/app/managed-environment:0.8.1

Comments