Skip to content

Commit

Permalink
fix: restrict container apps to apim ip (#448)
Browse files Browse the repository at this point in the history 
APIM is set up and we want to restrict incoming requests to the APIM IP
to close them down for public access.
  • Loading branch information
@arealmaas
arealmaas authored Feb 16, 2024
1 parent 713771a commit 1a1f3ad
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .azure/applications/web-api-eu/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ param imageTag string
param environment string
@minLength(3)
param location string
@minLength(3)
param apimIp string

@minLength(3)
@secure()
Expand Down Expand Up @@ -64,6 +66,7 @@ module containerApp '../../modules/containerApp/main.bicep' = {
location: location
envVariables: containerAppEnvVars
containerAppEnvId: containerAppEnvironment.id
apimIp: apimIp
}
}

Expand Down
1 change: 1 addition & 0 deletions .azure/applications/web-api-eu/staging.bicepparam
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ using './main.bicep'

param environment = 'staging'
param location = 'norwayeast'
param apimIp = '51.13.86.131'
param imageTag = readEnvironmentVariable('IMAGE_TAG')

// secrets
Expand Down
1 change: 1 addition & 0 deletions .azure/applications/web-api-eu/test.bicepparam
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ using './main.bicep'

param environment = 'test'
param location = 'norwayeast'
param apimIp = '51.120.88.69'
param imageTag = readEnvironmentVariable('IMAGE_TAG')

// secrets
Expand Down
3 changes: 3 additions & 0 deletions .azure/applications/web-api-so/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ param imageTag string
param environment string
@minLength(3)
param location string
@minLength(3)
param apimIp string

@minLength(3)
@secure()
Expand Down Expand Up @@ -68,6 +70,7 @@ module containerApp '../../modules/containerApp/main.bicep' = {
location: location
envVariables: containerAppEnvVars
containerAppEnvId: containerAppEnvironment.id
apimIp: apimIp
}
}

Expand Down
1 change: 1 addition & 0 deletions .azure/applications/web-api-so/staging.bicepparam
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ using './main.bicep'

param environment = 'staging'
param location = 'norwayeast'
param apimIp = '51.13.86.131'
param imageTag = readEnvironmentVariable('IMAGE_TAG')

// secrets
Expand Down
1 change: 1 addition & 0 deletions .azure/applications/web-api-so/test.bicepparam
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ using './main.bicep'

param environment = 'test'
param location = 'norwayeast'
param apimIp = '51.120.88.69'
param imageTag = readEnvironmentVariable('IMAGE_TAG')

// secrets
Expand Down
9 changes: 8 additions & 1 deletion .azure/modules/containerApp/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ param envVariables array = []
param port int = 8080
param name string
param image string
param apimIp string

param containerAppEnvId string

Expand Down Expand Up @@ -30,7 +31,13 @@ var probes = [
var ingress = {
targetPort: port
external: true
ipSecurityRestrictions: []
ipSecurityRestrictions: [
{
name: 'apim'
action: 'Allow'
ipAddressRange: apimIp
}
]
}

resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
Expand Down

0 comments on commit 1a1f3ad

Please sign in to comment.