Customer responsibilities for running Azure Spring Apps in a virtual network
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✅ Basic/Standard ✅ Enterprise
This article includes specifications for the use of Azure Spring Apps in a virtual network.
When Azure Spring Apps is deployed in your virtual network, it has outbound dependencies on services outside of the virtual network. For management and operational purposes, Azure Spring Apps must access certain ports and fully qualified domain names (FQDNs). Azure Spring Apps requires these endpoints to communicate with the management plane and to download and install core Kubernetes cluster components and security updates.
By default, Azure Spring Apps has unrestricted outbound (egress) internet access. This level of network access allows applications you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible for maintenance tasks. The simplest solution to secure outbound addresses is use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Azure Spring Apps resource requirements
The following list shows the resource requirements for Azure Spring Apps services. As a general requirement, you shouldn't modify resource groups created by Azure Spring Apps and the underlying network resources.
- Don't modify resource groups created and owned by Azure Spring Apps.
- By default, these resource groups are named
ap-svc-rt_<service-instance-name>_<region>*
andap_<service-instance-name>_<region>*
. - Don't block Azure Spring Apps from updating resources in these resource groups.
- By default, these resource groups are named
- Don't modify subnets used by Azure Spring Apps.
- Don't create more than one Azure Spring Apps service instance in the same subnet.
- When using a firewall to control traffic, don't block the following egress traffic to Azure Spring Apps components that operate, maintain, and support the service instance.
Azure Global required network rules
Destination endpoint | Port | Use | Note |
---|---|---|---|
*:443 or ServiceTag - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance requiredTraffics , see the resource payload, under the networkProfile section. |
*.azurecr.io:443 or ServiceTag - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the Azure Container Registry service endpoint in the virtual network. |
*.core.windows.net:443 and *.core.windows.net:445 or ServiceTag - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the Azure Storage service endpoint in the virtual network. |
*.servicebus.windows.net:443 or ServiceTag - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the Azure Event Hubs service endpoint in the virtual network. |
*.prod.microsoftmetrics.com:443 or ServiceTag - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. |
Azure Global required FQDN / application rules
Azure Firewall provides the FQDN tag AzureKubernetesService to simplify the following configurations:
Destination FQDN | Port | Use |
---|---|---|
*.azmk8s.io | HTTPS:443 | Underlying Kubernetes Cluster management. |
mcr.microsoft.com | HTTPS:443 | Microsoft Container Registry (MCR). |
*.data.mcr.microsoft.com | HTTPS:443 | MCR storage backed by the Azure CDN. |
management.azure.com | HTTPS:443 | Underlying Kubernetes Cluster management. |
login.microsoftonline.com | HTTPS:443 | Microsoft Entra authentication. |
packages.microsoft.com | HTTPS:443 | Microsoft packages repository. |
acs-mirror.azureedge.net | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. |
Microsoft Azure operated by 21Vianet required network rules
Destination endpoint | Port | Use | Note |
---|---|---|---|
*:443 or ServiceTag - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance requiredTraffics , see the resource payload, under the networkProfile section. |
*.azurecr.cn:443 or ServiceTag - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the Azure Container Registry service endpoint in the virtual network. |
*.core.chinacloudapi.cn:443 and *.core.chinacloudapi.cn:445 or ServiceTag - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the Azure Storage service endpoint in the virtual network. |
*.servicebus.chinacloudapi.cn:443 or ServiceTag - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the Azure Event Hubs service endpoint in the virtual network. |
*.prod.microsoftmetrics.com:443 or ServiceTag - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. |
Microsoft Azure operated by 21Vianet required FQDN / application rules
Azure Firewall provides the FQDN tag AzureKubernetesService
to simplify the following configurations:
Destination FQDN | Port | Use |
---|---|---|
*.cx.prod.service.azk8s.cn | HTTPS:443 | Underlying Kubernetes Cluster management. |
mcr.microsoft.com | HTTPS:443 | Microsoft Container Registry (MCR). |
*.data.mcr.microsoft.com | HTTPS:443 | MCR storage backed by the Azure CDN. |
management.chinacloudapi.cn | HTTPS:443 | Underlying Kubernetes Cluster management. |
login.chinacloudapi.cn | HTTPS:443 | Microsoft Entra authentication. |
packages.microsoft.com | HTTPS:443 | Microsoft packages repository. |
*.azk8s.cn | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. |
Azure Spring Apps optional FQDN for third-party application performance management
Destination FQDN | Port | Use |
---|---|---|
collector*.newrelic.com | TCP:443/80 | Required networks of New Relic APM agents from US region, also see APM Agents Networks. |
collector*.eu01.nr-data.net | TCP:443/80 | Required networks of New Relic APM agents from EU region, also see APM Agents Networks. |
*.live.dynatrace.com | TCP:443 | Required network of Dynatrace APM agents. |
*.live.ruxit.com | TCP:443 | Required network of Dynatrace APM agents. |
*.saas.appdynamics.com | TCP:443/80 | Required network of AppDynamics APM agents, also see SaaS Domains and IP Ranges. |
Azure Spring Apps optional FQDN for Application Insights
You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the Outgoing ports section of IP addresses used by Azure Monitor.
VirtualNetwork service tag
Azure network security groups can filter network traffic within an Azure virtual network. When you enable inbound network traffic using the VirtualNetwork
service tag, it automatically includes all IP address ranges of the workload virtual network and any peered transit virtual networks.
For Azure Spring Apps running on Azure Kubernetes Service (AKS), the AKS infrastructure manages the IP address prefixes for workloads on all AKS node pools. These prefixes are implicitly included in the VirtualNetwork
service tag. This design ensures that applications remain accessible within the virtual network, even if their IP addresses fall outside the defined IP range of the virtual network.
If you decide not to allow traffic using the VirtualNetwork
service tag, you must configure specific rules to allow communication between the Azure Spring Apps service runtime subnet and the apps subnet. Furthermore, you need to explicitly allow traffic from the Azure Spring Apps reserved Classless Inter-Domain Routing (CIDR) range, which is used by the underlying AKS infrastructure. You can't add only part of the CIDR range to the allow list because the address prefix for workloads is dynamic.