Skip to content

Add specific NSGs for APIM and Container Apps with flow logs and Traffic Analytics #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add specific NSGs for APIM and Container Apps with flow logs and Traffic Analytics #136

Copilot wants to merge 10 commits into from
+1,393 −658

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

API Management and Container Apps subnets used generic nsg-default without ingress restrictions or flow logging. This creates specific NSGs enforcing least-privilege access with comprehensive monitoring.

NSG Modules

Created reusable modules in shared/bicep/modules/vnet/v1/:

  • nsg-apim-pe.bicep - APIM with private link support for Front Door (AzureFrontDoor.Backend) or App Gateway (subnet-based)
  • nsg-apim-vnet.bicep - APIM in VNet mode with App Gateway ingress
  • nsg-aca.bicep - Container Apps accepting traffic only from APIM subnet
  • nsg-flow-logs.bicep - Flow log configuration with Traffic Analytics
  • storage-flowlogs.bicep - Storage account for flow log data

All NSGs include priority 4096 deny-all inbound rule and required outbound connectivity (Storage, SQL, Key Vault, Azure Monitor for APIM).

Infrastructure Changes

afd-apim-pe: APIM subnet → nsg-apim-pe (Front Door), ACA subnet → nsg-aca

appgw-apim: Added deny-all rule to existing App Gateway NSG, ACA subnet → nsg-aca

appgw-apim-pe: APIM subnet → nsg-apim-pe (App Gateway), App Gateway NSG enhanced, ACA subnet → nsg-aca

All three infrastructures now deploy:

  • NSG flow logs (7-day retention, JSON v2)
  • Traffic Analytics workspace integration
  • Dedicated storage account for flow logs

Example Usage

module nsgApim 'nsg-apim-pe.bicep' = {
  params: {
    apimSubnetPrefix: '10.0.1.0/24'
    allowFrontDoorBackend: true  // For Front Door scenarios
    allowAppGateway: false
  }
}

module nsgAca 'nsg-aca.bicep' = {
  params: {
    acaSubnetPrefix: '10.0.2.0/23'
    apimSubnetPrefix: '10.0.1.0/24'  // Only source allowed
  }
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • aka.ms
    • Triggering command: /usr/local/bin/bicep bicep build shared/bicep/modules/vnet/v1/nsg-apim-vnet.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build shared/bicep/modules/vnet/v1/nsg-apim-pe.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build shared/bicep/modules/vnet/v1/nsg-aca.bicep (dns block)
  • eastus.data.mcr.microsoft.com
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/appgw-apim/main.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/appgw-apim-pe/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Feature]: Azure API Management and Azure Container App subnets should have specific Network Security Groups</issue_title>
<issue_description>### Describe the feature

Presently, API Management and Container Apps often, if not always, use the nsg-default resource. What this does not do, however, is not ingress enough. API Management should only allow traffic from Front Door or Application Gateway (ensure to cover virtual network vs. private link appropriately in the NSG). Container Apps should only allow ingress from API Management (same consideration for virtual network vs. private link).

Each rule in the NSG should have a proper description as to its purpose. There should also be a rule with priority 4096 that disables all other traffic. Please ensure that everything that's needed is covered appropriately before that priority. Lastly, we should have NSG flow logs enabled for everything and networking monitoring in place.

Check all applicable infrastructure architectures.

Improvement to Project

This will result in improved security and network monitoring.

Are you able to collaborate and/or submit a pull request?

Yes</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@simonkurtz-MSFT
Add specific NSG modules and update infrastructure files with NSG flo…
9e2a199 
…w logs

Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

🐍 Python 3.14 Results

Metric Status Value
Pylint Score 10.00/10
Unit Tests success
Code Coverage 📊 100%

Full Workflow Logs

@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

Python 3.14 Detailed Test Results

1 458 tests  +6   1 458 ✅ +6   12s ⏱️ -7s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 309d543. ± Comparison against base commit ee33f72.

This pull request removes 15 and adds 21 tests. Note that renamed tests count towards both. 
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error
test_verify_local_setup ‑ test_check_bicep_cli_case_insensitive_version
test_verify_local_setup ‑ test_check_bicep_cli_empty_version
test_verify_local_setup ‑ test_check_bicep_cli_uses_first_line_only
test_verify_local_setup ‑ test_check_bicep_cli_version_token_without_value
test_verify_local_setup ‑ test_check_jupyter_kernel_file_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found_python3
test_verify_local_setup ‑ test_check_jupyter_kernel_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_subprocess_error
…

test_apimrequests ‑ test_multi_get_merges_custom_headers
test_apimrequests ‑ test_multi_request_custom_headers_do_not_affect_other_runs
test_apimrequests ‑ test_multi_request_merges_custom_headers
test_apimrequests ‑ test_single_request_merges_custom_headers
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error[exception0]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[BICEP VERSION 1.2.3\n-1.2.3-False]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Bicep version-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Welcome to Bicep CLI\nversion 9.9.9\n-unknown-True]
test_verify_local_setup ‑ test_check_jupyter_kernel_errors[exception0-Install Jupyter]
…

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

🐍 Python 3.13 Results

Metric Status Value
Pylint Score 10.00/10
Unit Tests success
Code Coverage 📊 100%

Full Workflow Logs

@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

🐍 Python 3.12 Results

Metric Status Value
Pylint Score 10.00/10
Unit Tests success
Code Coverage 📊 100%

Full Workflow Logs

@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

Python 3.12 Detailed Test Results

1 458 tests  +6   1 458 ✅ +6   16s ⏱️ -3s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 309d543. ± Comparison against base commit ee33f72.

This pull request removes 15 and adds 21 tests. Note that renamed tests count towards both. 
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error
test_verify_local_setup ‑ test_check_bicep_cli_case_insensitive_version
test_verify_local_setup ‑ test_check_bicep_cli_empty_version
test_verify_local_setup ‑ test_check_bicep_cli_uses_first_line_only
test_verify_local_setup ‑ test_check_bicep_cli_version_token_without_value
test_verify_local_setup ‑ test_check_jupyter_kernel_file_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found_python3
test_verify_local_setup ‑ test_check_jupyter_kernel_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_subprocess_error
…

test_apimrequests ‑ test_multi_get_merges_custom_headers
test_apimrequests ‑ test_multi_request_custom_headers_do_not_affect_other_runs
test_apimrequests ‑ test_multi_request_merges_custom_headers
test_apimrequests ‑ test_single_request_merges_custom_headers
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error[exception0]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[BICEP VERSION 1.2.3\n-1.2.3-False]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Bicep version-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Welcome to Bicep CLI\nversion 9.9.9\n-unknown-True]
test_verify_local_setup ‑ test_check_jupyter_kernel_errors[exception0-Install Jupyter]
…

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

Python 3.13 Detailed Test Results

1 458 tests  +6   1 458 ✅ +6   14s ⏱️ -5s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 309d543. ± Comparison against base commit ee33f72.

This pull request removes 15 and adds 21 tests. Note that renamed tests count towards both. 
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error
test_verify_local_setup ‑ test_check_bicep_cli_case_insensitive_version
test_verify_local_setup ‑ test_check_bicep_cli_empty_version
test_verify_local_setup ‑ test_check_bicep_cli_uses_first_line_only
test_verify_local_setup ‑ test_check_bicep_cli_version_token_without_value
test_verify_local_setup ‑ test_check_jupyter_kernel_file_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found
test_verify_local_setup ‑ test_check_jupyter_kernel_found_python3
test_verify_local_setup ‑ test_check_jupyter_kernel_not_found
test_verify_local_setup ‑ test_check_jupyter_kernel_subprocess_error
…

test_apimrequests ‑ test_multi_get_merges_custom_headers
test_apimrequests ‑ test_multi_request_custom_headers_do_not_affect_other_runs
test_apimrequests ‑ test_multi_request_merges_custom_headers
test_apimrequests ‑ test_single_request_merges_custom_headers
test_verify_local_setup ‑ test_check_azure_providers_subprocess_error[exception0]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[BICEP VERSION 1.2.3\n-1.2.3-False]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Bicep version-unknown-True]
test_verify_local_setup ‑ test_check_bicep_cli_version_parsing[Welcome to Bicep CLI\nversion 9.9.9\n-unknown-True]
test_verify_local_setup ‑ test_check_jupyter_kernel_errors[exception0-Install Jupyter]
…

♻️ This comment has been updated with latest results.

Copilot AI changed the title [WIP] Add specific Network Security Groups for Azure API Management and Container Apps Add specific NSGs for APIM and Container Apps with flow logs and Traffic Analytics Jan 29, 2026
Copilot AI requested a review from simonkurtz-MSFT January 29, 2026 17:07
@simonkurtz-MSFT simonkurtz-MSFT marked this pull request as ready for review January 29, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonkurtz-MSFT simonkurtz-MSFT Awaiting requested review from simonkurtz-MSFT

Assignees

@simonkurtz-MSFT simonkurtz-MSFT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: Azure API Management and Azure Container App subnets should have specific Network Security Groups

2 participants

@simonkurtz-MSFT