IP ingress restrictions mode#
Security · Container App · 2023_06
IP ingress restrictions mode should be set to allow action for all rules defined.
Description#
Container apps supports restricting inbound traffic by IP addresses.
This allows container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges.
However, configuring a rule with the Deny action leads to traffic being denied from the IPv4 address or range, but allows all other traffic.
Instead by configuring a rule or multiple rules with the Allow action traffic is allowed from the IPv4 address or range, but denies all other traffic.
When no IP restriction rules are defined, all inbound traffic is allowed.
IP ingress restrictions mode can be used for container apps within external and internal environments, but internal ones are limited to private addresses only, where external ones supports both public and private addresses.
Recommendation#
Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.
Examples#
Configure with Azure template#
To deploy Container Apps that pass this rule:
- Create one or more rules to allow traffic by configuring
properties.configuration.ingress.ipSecurityRestrictions. - For each rule defined in
properties.configuration.ingress.ipSecurityRestrictionsto actionAllow.
For example:
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2022-11-01-preview",
"name": "[parameters('appName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
"userAssignedIdentities": {}
},
"properties": {
"environmentId": "[parameters('environmentId')]",
"template": {
"revisionSuffix": "",
"containers": "[variables('containers')]"
},
"configuration": {
"ingress": {
"external": false,
"ipSecurityRestrictions": [
{
"action": "Allow",
"description": "ClientIPAddress_1",
"ipAddressRange": "10.1.1.1/32",
"name": "ClientIPAddress_1"
},
{
"action": "Allow",
"description": "ClientIPAddress_2",
"ipAddressRange": "10.1.2.1/32",
"name": "ClientIPAddress_2"
}
]
}
}
}
}
Configure with Bicep#
To deploy Container Apps that pass this rule:
- Create one or more rules to allow traffic by configuring
properties.configuration.ingress.ipSecurityRestrictions. - For each rule defined in
properties.configuration.ingress.ipSecurityRestrictionsto actionAllow.
For example:
resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {
name: appName
location: location
identity: {
type: 'SystemAssigned'
userAssignedIdentities: {}
}
properties: {
environmentId: environmentId
template: {
revisionSuffix: ''
containers: containers
}
configuration: {
ingress: {
external: false
ipSecurityRestrictions: [
{
action: 'Allow'
description: 'ClientIPAddress_1'
ipAddressRange: '10.1.1.1/32'
name: 'ClientIPAddress_1'
}
{
action: 'Allow'
description: 'ClientIPAddress_2'
ipAddressRange: '10.1.2.1/32'
name: 'ClientIPAddress_2'
}
]
}
}
}
}
Notes#
All rules must be the same type. It is not supported to combine allow rules and deny rules. If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.
Links#
- Network security and containment
- Networking architecture in Azure Container Apps
- IP restrictions
- Set up IP ingress restrictions in Azure Container Apps
- Azure security baseline for Azure Container Apps
- NS-2: Secure cloud services with network controls
- Azure deployment reference