Azure Linux Web App Security Essentials

As a developer, you want to ensure your Azure Linux Web App is secure. To do this, you need to understand the security essentials that come with hosting your app on Azure.

Firewalls are enabled by default on Azure Linux Web Apps, blocking incoming traffic from the internet and only allowing traffic from Azure's internal network. This helps prevent unauthorized access to your app.

Regular security updates are essential to keep your app and underlying operating system secure. Azure Linux Web Apps automatically receive security updates, ensuring your app stays up-to-date and secure.

To further enhance security, Azure recommends using a private IP address for your web app, which helps to restrict access to your app and reduce the attack surface.

Securing your Azure Linux web app is crucial to protect it from potential threats. To do this, you need to secure three types of traffic: inbound request traffic, inbound publishing traffic, and outbound calls made from your app.

To secure inbound request traffic, use a WAF enabled Application Gateway with Service Endpoints. This will help block malicious traffic before it reaches your app.

Securing inbound publishing traffic involves using a build agent with service endpoints on the publishing endpoint. This ensures that only authorized traffic reaches your app.

Outbound calls from your app can be secured using VNet Integration and an Azure Firewall. This will help prevent unauthorized data from being sent from your app.

Here are the steps to secure your Azure Linux web app:

Make sure to have a VNet in the same region as your web app to secure your inbound traffic. If you don't have a VNet, create one following the instructions for Creating an Azure Virtual Network.

To set up the VNet, Application Gateway, and Service Endpoints, follow these steps:

Remember to enable Web Application Firewall (WAF) support on your Application Gateway for added security.

When connecting to Azure resources, such as SQL Database and Azure Storage, make sure to encrypt your connection. If your app is hosted in an App Service environment, use Virtual Network service endpoints to connect to supported Azure services.

To secure inbound traffic to your Azure Linux web app, you'll need to create an Azure Virtual Network (VNet). This VNet should be in the same region as your web app and will serve as the foundation for securing your inbound traffic.

A VNet is a virtual network that connects your resources together, providing a secure and isolated environment for your web app. To create a VNet, you can follow the instructions in the Azure documentation on creating an Azure Virtual Network.

Once you have your VNet set up, you'll need to create an Application Gateway. An Application Gateway is a load balancer that can help distribute traffic to your web app and provide additional security features.

To enable Service Endpoints for your web app, you can follow the instructions in the Azure documentation on Creating an Application Gateway. Service Endpoints allow you to secure traffic to your web app by only allowing traffic from within your VNet.

Here's a summary of the steps to secure inbound traffic:

By following these steps, you can help secure your inbound traffic and protect your Azure Linux web app from potential security threats.

Securing Outbound Traffic is crucial for Azure Linux Web App security. To do this, you need to use the regional VNet Integration feature.

This feature enables you to make calls into your VNet and have all outbound traffic subject to Network Security Groups (NSGs) and Route Tables (UDRs). With NSGs you can restrict outbound traffic to address blocks of your choosing.

Here are some key settings to ensure all outbound traffic is affected by NSGs and UDRs:

By doing so, you can restrict your outbound internet traffic to only the FQDNs you want it to reach. This is a simple yet effective way to secure your Azure Linux Web App's outbound traffic.

To secure outbound traffic from your web app, you need to use the regional VNet Integration feature. This feature enables you to make calls into your VNet and have all outbound traffic subject to Network Security Groups (NSGs) and Route Tables (UDRs).

You can restrict outbound traffic to address blocks of your choosing with NSGs, and route traffic as you see fit with UDRs. If you route the outbound traffic to an Azure Firewall device, you can restrict your outbound internet traffic to only the FQDNs you want it to reach.

To ensure that all of your outbound traffic is affected by the NSGs and UDRs on your integration subnet, set the application setting WEBSITE_VNET_ROUTE_ALL to 1. This is especially important if you're going to a private address, such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.

By enabling VNet Integration, you can have more control over your outbound traffic and prevent any unauthorized access.

DDoS protection is crucial for safeguarding against emerging DDoS attacks.

Azure DDoS protection is highly recommended for web workloads.

Deploying a web application firewall alongside Azure DDoS protection is a solid option.

Another option is to use Azure Front Door with a web application firewall for platform-level protection against network-level DDoS attacks.

To secure your Azure Linux web app, you'll want to focus on securing inbound request traffic, inbound publishing traffic, and outbound calls made from your app. This means using a WAF enabled Application Gateway with Service Endpoints to secure inbound request traffic, a build agent with service endpoints on the publishing endpoint to secure inbound publishing traffic, and VNet Integration and an Azure Firewall to secure outbound traffic.

Securing publishing inbound traffic is also crucial, as it involves uploading your web app content to your app service instance. To do this securely, you can use Access Restrictions to secure traffic to the publishing endpoint for your app, or use service endpoints to secure traffic from a jump box being used to publish.

To protect your app in a publicly accessible ASE, you can choose between Azure Application Gateway and NGINX Plus with the NGINX ModSecurity WAF module. Both options provide strong protection against common web vulnerabilities and exploits, but NGINX Plus offers additional features such as URL rewriting and redirecting, connection and rate limits, and HTTP/2 and WebSocket support.

In this section, we'll explore some alternative configurations for securing your web app. One option is to use Private Endpoints instead of Service Endpoints. This involves creating a Private Endpoint in a subnet other than the GatewaySubnet and configuring it against your app.

Private Endpoints offer a great solution as they also host the HTTPS publishing endpoint for your app. However, keep in mind that when you add Private Endpoints to your app, it's no longer accessible from the internet. Traffic to your app must only go through the private endpoints on your app.

Another alternative is to use Azure Front Door (AFD) with your app. This requires setting an IP address access restriction to secure your app to only being accessible through AFD. Additionally, there are some changes coming soon that will enable you to lock down your app to specific AFD profiles.

Here are the key differences between Private Endpoints and Azure Front Door:

Build Kits are a great way to configure your systems securely. You can easily configure your systems in accordance with a CIS Benchmark, which provides a standardized framework for securing systems.

Having a standardized framework can save you a lot of time and effort in the long run. This is especially true if you're managing multiple systems or working with a team.

By using Build Kits, you can ensure that your systems are configured consistently and securely. This can help prevent common security mistakes and reduce the risk of security breaches.

In addition to saving time, Build Kits can also help you maintain compliance with security standards and regulations. This can be especially important if you're working in a regulated industry or handling sensitive data.

Azure App Service provides two mechanisms for authenticating against a back-end service: Service identity and On-behalf-of (OBO). Service identity lets you sign in to the remote resource using the identity of the app itself, while OBO makes delegated access to remote resources on behalf of the user.

Implementing OAuth 2.0 on an App Service is a straightforward process that enhances your application's security. By adding a block auth_settings to the azurerm_app_service resource, you can enable authentication.

To deploy OAuth 2.0 on the App Service, you'll need to configure the Google authentication provider with the client ID. This can be done by adding a block auth_settings to the Terraform code, which will fetch an access token at login and pass it to the web application as a header.

Azure App Service manages almost everything for us, including fetching an access token at login and passing it to the web application as a header. All we have to do is query Google servers for the data with the access token in the headers.

The authentication and authorization module in Azure App Service handles web requests before handing them off to your application code, and it denies unauthorized requests before they reach your code.

HTTPS and Certificates are crucial for securing your Azure Linux Web App. You can secure your app with HTTPS by configuring a custom domain, which requires a TLS/SSL certificate.

The good news is that App Service supports several types of certificates, including a free managed certificate. This certificate is automatically issued and renewed by App Service, making it a convenient option.

To ensure your custom domain is secure, you should use a TLS/SSL certificate. You have several options, including App Service certificates, third-party certificates, and certificates imported from Azure Key Vault.

Here are the types of certificates supported by App Service:

By securing your custom domain with a TLS/SSL certificate, you can ensure that client browsers can make secured HTTPS connections to your app.

Azure Linux web app security is a top priority, and for good reason. With so many potential threats lurking online, it's essential to have robust security features in place to protect your app.

One key feature is the Web Application Firewall (WAF), which sits between your app and end users, protecting against common attacks like cross-site-scripting and SQL injection.

To secure inbound request traffic to your app, use a WAF-enabled Application Gateway with Service Endpoints. This will help block malicious traffic before it even reaches your app.

Securing inbound publishing traffic to your app requires a build agent with service endpoints on the publishing endpoint. This ensures that only authorized traffic can reach your app.

Outbound calls made from your app can be secured using VNet Integration and an Azure Firewall. This will help prevent unauthorized access to external resources.

Here are some key security features to consider:

Having a WAF-enabled Application Gateway with Service Endpoints is a great starting point for securing your Azure Linux web app. By implementing these security features, you can rest assured that your app is well-protected against potential threats.

Azure and On-Premises Resources are connected securely through three methods. You can establish a point-to-point connection to your remote resource through a TCP tunnel using Hybrid connections.

This connection is established using TLS 1.2 with shared access signature (SAS) keys. You can also connect to on-premises resources like other resources in the Virtual Network through Virtual Network integration with site-to-site VPN or App Service environment with site-to-site VPN.

To make secure connections, always use encrypted connections even if the back-end resource allows unencrypted connections. You can find the outbound IP addresses for your app at Inbound and outbound IP addresses in Azure App Service.

Azure resources are a crucial part of your app's infrastructure, and understanding how they work can help you keep your data secure.

Azure resources, such as SQL Database and Azure Storage, stay within Azure's network boundaries when your app connects to them, so you don't have to worry about data crossing any network boundaries. However, always make sure your connection is encrypted.

If your app is hosted in an App Service environment, it's recommended to connect to supported Azure services using Virtual Network service endpoints.

Azure provides a range of features to help you manage your resources, including resource groups, which allow you to group your resources in a logical manner. This helps you keep track of your resources and make it easier to manage them.

Here's a quick rundown of Azure resources and how they can help you secure your app:

Accessing on-premises resources can be a bit tricky, but don't worry, it's definitely doable. You can securely connect to on-premises resources like databases in three ways.

One of the ways is through hybrid connections, which establish a point-to-point connection to your remote resource through a TCP tunnel using TLS 1.2 with shared access signature (SAS) keys.

To connect to on-premises resources, you can also use Virtual Network integration with site-to-site VPN. This is similar to connecting to resources inside an Azure Virtual Network, but your Virtual Network is connected to your on-premises network through a site-to-site VPN.

Another option is to use an App Service environment with site-to-site VPN, which is also similar to connecting to resources inside an Azure Virtual Network, but with the added benefit of connecting to your on-premises network.

Keep in mind that for all these options, you should make sure your back-end Azure service allows the minimum set of IP addresses, and that your connection is encrypted.