Skip to content

[Feature]: Azure API Management and Azure Container App subnets should have specific Network Security Groups #135

New issue
New issue
Open
Feature
#136
Open
[Feature]: Azure API Management and Azure Container App subnets should have specific Network Security Groups#135
Feature
#136
Assignees
simonkurtz-MSFTcopilot-swe-agent
Labels
triageTriage state to classify issue
@simonkurtz-MSFT

Description

@simonkurtz-MSFT
simonkurtz-MSFT
opened on Jan 29, 2026

Describe the feature

Presently, API Management and Container Apps often, if not always, use the nsg-default resource. What this does not do, however, is not ingress enough. API Management should only allow traffic from Front Door or Application Gateway (ensure to cover virtual network vs. private link appropriately in the NSG). Container Apps should only allow ingress from API Management (same consideration for virtual network vs. private link).

Each rule in the NSG should have a proper description as to its purpose. There should also be a rule with priority 4096 that disables all other traffic. Please ensure that everything that's needed is covered appropriately before that priority. Lastly, we should have NSG flow logs enabled for everything and networking monitoring in place.

Check all applicable infrastructure architectures.

Improvement to Project

This will result in improved security and network monitoring.

Are you able to collaborate and/or submit a pull request?

Yes

Metadata

Metadata

Assignees

Labels

triageTriage state to classify issue

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions