diff --git a/deploy/bicep/main.bicep b/deploy/bicep/main.bicep
index c32e2e8..2808121 100644
--- a/deploy/bicep/main.bicep
+++ b/deploy/bicep/main.bicep
@@ -15,14 +15,30 @@ param sqlServerName string = 'sql-${uniqueSuffix}'
 param sqlDatabaseName string = 'reddog'
 param sqlAdminLogin string = 'reddog'
 param sqlAdminLoginPassword string = take(newGuid(), 16)
+param virtualNetworkName string = 'containerapps-${uniqueString(uniqueSeed)}'
+param subnetName string = 'containerapps-${uniqueString(uniqueSeed)}'
+
+module vnetModule 'modules/vnet.bicep' = {
+  name: '${deployment().name}--containerAppsVnet'
+  params: {
+    location: location
+    virtualNetworkName: virtualNetworkName
+    subnetName: subnetName
+  }
+}
 
 module containerAppsEnvModule 'modules/capps-env.bicep' = {
   name: '${deployment().name}--containerAppsEnv'
+  dependsOn: [
+    vnetModule
+  ]
   params: {
     location: location
     containerAppsEnvName: containerAppsEnvName
     logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
     appInsightsName: appInsightsName
+    virtualNetworkName: virtualNetworkName
+    subnetName: subnetName
   }
 }
 
@@ -54,10 +70,15 @@ module cosmosModule 'modules/cosmos.bicep' = {
 
 module storageModule 'modules/storage.bicep' = {
   name: '${deployment().name}--storage'
+  dependsOn: [
+    vnetModule
+  ]
   params: {
     storageAccountName: storageAccountName
     blobContainerName: blobContainerName
     location: location
+    virtualNetworkName: virtualNetworkName
+    subnetName: subnetName
   }
 }
 
diff --git a/deploy/bicep/modules/capps-env.bicep b/deploy/bicep/modules/capps-env.bicep
index fe1e10c..510c2c9 100644
--- a/deploy/bicep/modules/capps-env.bicep
+++ b/deploy/bicep/modules/capps-env.bicep
@@ -2,6 +2,12 @@ param containerAppsEnvName string
 param logAnalyticsWorkspaceName string
 param appInsightsName string
 param location string
+param virtualNetworkName string
+param subnetName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' existing = {
+  name: virtualNetworkName
+}
 
 resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = {
   name: logAnalyticsWorkspaceName
@@ -21,7 +27,7 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02-preview' = {
   name: appInsightsName
   location: location
   kind: 'web'
-  properties: { 
+  properties: {
     Application_Type: 'web'
   }
 }
@@ -38,6 +44,10 @@ resource containerAppsEnv 'Microsoft.App/managedEnvironments@2022-01-01-preview'
         sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
       }
     }
+    vnetConfiguration: {
+      infrastructureSubnetId: '${virtualNetwork.id}/subnets/${subnetName}'
+      internal: false
+    }
   }
 }
 
diff --git a/deploy/bicep/modules/sqlserver.bicep b/deploy/bicep/modules/sqlserver.bicep
index 5d765c2..cf0b516 100644
--- a/deploy/bicep/modules/sqlserver.bicep
+++ b/deploy/bicep/modules/sqlserver.bicep
@@ -10,6 +10,7 @@ resource sqlserver 'Microsoft.Sql/servers@2021-05-01-preview' = {
   properties: {
     administratorLogin: sqlAdminLogin
     administratorLoginPassword: sqlAdminLoginPassword
+    minimalTlsVersion: '1.2'
   }
 }
 
diff --git a/deploy/bicep/modules/storage.bicep b/deploy/bicep/modules/storage.bicep
index b0ebc97..f1b5a8c 100644
--- a/deploy/bicep/modules/storage.bicep
+++ b/deploy/bicep/modules/storage.bicep
@@ -1,6 +1,12 @@
 param storageAccountName string
 param blobContainerName string
 param location string
+param virtualNetworkName string
+param subnetName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' existing = {
+  name: virtualNetworkName
+}
 
 resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
   name: storageAccountName
@@ -9,6 +15,24 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
   sku: {
     name: 'Standard_LRS'
   }
+  properties: {
+    minimumTlsVersion: 'TLS1_2'
+    publicNetworkAccess: 'Enabled'
+    allowBlobPublicAccess: false
+    supportsHttpsTrafficOnly: true
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Deny'
+      ipRules: []
+      resourceAccessRules: []
+      virtualNetworkRules: [
+        {
+          action: 'Allow'
+          id: '${virtualNetwork.id}/subnets/${subnetName}'
+        }
+      ]
+    }
+  }
 }
 
 resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01' = {
diff --git a/deploy/bicep/modules/vnet.bicep b/deploy/bicep/modules/vnet.bicep
new file mode 100644
index 0000000..231ae22
--- /dev/null
+++ b/deploy/bicep/modules/vnet.bicep
@@ -0,0 +1,34 @@
+param virtualNetworkName string
+param subnetName string
+param location string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' = {
+  name: virtualNetworkName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+    subnets: [
+      {
+        name: subnetName
+        properties: {
+          addressPrefix: '10.0.0.0/23'
+          serviceEndpoints: [
+             {
+                service: 'Microsoft.Storage'
+             }
+          ]
+        }
+      }
+    ]
+  }
+
+  resource subnet1 'subnets' existing = {
+    name: subnetName
+  }
+}
+
+output subnet1ResourceId string = virtualNetwork::subnet1.id