SOLVED

Access to App Services

%3CLINGO-SUB%20id%3D%22lingo-sub-1040977%22%20slang%3D%22en-US%22%3EAccess%20to%20App%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1040977%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ETrying%20to%20learn%20Azure%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EHave%20deployed%20a%20public%20WP%20website%20by%20App%20Service%26nbsp%3B%3CBR%20%2F%3E-%20In%20the%20Security%20Center%20-%20I%20have%20just%201%20Red%20unhealthy%20resource%20(and%20like%20the%20green%20ones)%20-%20however%2C%20I%20don't%20quite%20understand%20the%20%22recommendation%22%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1441392551%22%20id%3D%22toc-hId--1441392551%22%20id%3D%22toc-hId--1441392551%22%20id%3D%22toc-hId--1441392551%22%3E%3CEM%3EAccess%20to%20App%20Services%20should%20be%20restricted%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3EWe%20recommend%20that%20you%20edit%20the%20inbound%20rules%20for%20app%20services%20with%20overly%20permissive%20network%20configuration.%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22verdana%2Cgeneva%22%20size%3D%224%22%3EI%20tried%20the%20various%20remediation%20steps%20-%20every%20time%20the%20App%20Stops%20and%20I%2C%20of%20course%2C%20want%20it%20to%20be%20accessible%20for%20everyone%20browsing%20on%20the%20Website%3F%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20anyone%20tell%20me%20what%20I%20need%20to%20do%20in%20order%20to%20get%20this%20%22green%22%3F%3C%2FFONT%3E%26nbsp%3B%26nbsp%3B%3C%2FH2%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1040977%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041374%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20to%20App%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041374%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108979%22%20target%3D%22_blank%22%3E%40Taen%20keren%3C%2FA%3E%2C%26nbsp%3Bin%20most%20scenarios%20you%20want%20your%20web%20app%20to%20be%20accessible%20from%20everywhere.%20In%20this%20case%2C%20it%20does%20not%20make%20sense%20to%20implement%20IP%20access%20restrictions.%20However%2C%20you%20might%20want%20to%20implement%20additional%20security%20by%20putting%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapplication-gateway%2Fconfigure-web-app-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWeb%20Application%20Firewall%20in%20front%20of%20your%20Web%20App%3C%2FA%3E%20and%20restricting%20access%20to%20it%20only%20from%20the%20WAF%20IP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%2Fshould%20also%20protect%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Fapp-service-ip-restrictions%23scm-site%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWeb%20App's%20deployment%2Fmanagement%20endpoint%3C%2FA%3E%20(.scm.azurewebsites.net%2C%20a.k.a.%20Kudu)%2C%20to%20make%20it%20accessible%20only%20from%20the%20IP%20addresses%20that%20are%20trusted%20sources%20for%20deployments.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F159523i6ACE5146FC227839%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIn%20any%20case%2C%20if%20you%20think%20you%20can't%2Fdon't%20want%20to%20improve%20much%20more%20your%20Web%20App%20security%2C%20then%20you%20can%20always%20dismiss%20the%20Security%20Center%20recommendation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

Hi 

Trying to learn Azure :)
Have deployed a public WP website by App Service 
- In the Security Center - I have just 1 Red unhealthy resource (and like the green ones) - however, I don't quite understand the "recommendation" 

Access to App Services should be restricted

We recommend that you edit the inbound rules for app services with overly permissive network configuration.


I tried the various remediation steps - every time the App Stops and I, of course, want it to be accessible for everyone browsing on the Website?

Can anyone tell me what I need to do in order to get this "green"?  

    

1 Reply
Highlighted
Best Response confirmed by Taen keren (Super Contributor)
Solution

@Taen keren, in most scenarios you want your web app to be accessible from everywhere. In this case, it does not make sense to implement IP access restrictions. However, you might want to implement additional security by putting a Web Application Firewall in front of your Web App and restricting access to it only from the WAF IP.

 

You can/should also protect the Web App's deployment/management endpoint (.scm.azurewebsites.net, a.k.a. Kudu), to make it accessible only from the IP addresses that are trusted sources for deployments.

 

clipboard_image_0.png

In any case, if you think you can't/don't want to improve much more your Web App security, then you can always dismiss the Security Center recommendation.