Following on from my previous post about Network Security Groups, this post is about securing an App Service Environment. An Application Gateway with Web Application Firewall (WAF) is also included to provide additional protection by providing the Web Application Gateway functionality. This works by inspecting the traffic and providing defence against the OWASP top 10 threats. WAF on Application Gateway is based on
Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.
The aim of this post is to explain how to configure the ASE, Application Gateway, and Outbound Firewall to control traffic flow. It is not designed to describe the core setup and configuration of these resources, nor is it designed to describe the deployment of specific Web App Services or Function Apps.
External access can also be facilitated by using an externally facing firewall, which can use NAT to redirect traffic to the front-end interface of the Application Gateway.
Figure 1, High level resource deployment
Figure 2, Traffic flow via Application Gateway
Application Service Environment Setup
Logging
The ASE should be configured to save any logs and send these to a SIEM tool for monitoring and alerting. Ideally this would be to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the AppServiceEnvironmentPlatformLogs to an appropriate Log Analytics Workspace.
ASE Subnet
The following service endpoints need to be added to the subnet used by the ASE.
- Microsoft.EventHub
- Microsoft.KeyVault
- Microsoft.ServiceBus
- Microsoft.SQL
- Microsoft.Storage
- Microsoft.Web
Network Security Group
A Network Security Group to be associated with the ASE subnet to restrict traffic to only the minimum required sources and destinations. The tables below provide the core rules which should be applied to this NSG to assure a ‘Deny by Default’ approach.
There are a few external, outbound dependencies that are almost entirely defined with FQDNs. These services do not have a static addresses behind them, as a result Network Security Groups cannot be used to lock down the outbound traffic. One solution to securing outbound addresses to these endpoints, would be to use a layer 7 firewall device. This firewall can then control outbound traffic based on FQDNs. An Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.
Inbound rules
| Priority | Name | Port | Protocol | Source | Destination | Action |
| 101 | HTTPS_IN | 443 | TCP | [AppGateway Subnet] | [ASE Subnet] | Allow |
| 3001 | AppManagement_IN | 454,455 | Any | AppServiceManagement | [ASE Subnet] | Allow |
| 3901 | Internal_IN | Any | Any | [ASE Subnet] | [ASE Subnet] | Allow |
| 4094 | AzureLoadBalancer-IN | Any | Any | AzureLoadBalancer | [ASE Subnet] | Allow |
| 4096 | DENY_ALL_IN | Any | Any | Any | Any | Deny |
Outbound rules
| Priority | Name | Port | Protocol | Source | Destination | Action |
| 101 | HTTPS-OUT | 80,443 | TCP | [ASE Subnet] | Any | Allow |
| 3101 | Azure_SQL_OUT | 1433 | Any | [ASE Subnet] | Sql | Allow |
| 3102 | AzureSQLManagement_OUT | 1433 | Any | [ASE Subnet] | SqlManagement | Allow |
| 3103 | Azure_Storage_OUT | Any | Any | [ASE Subnet] | Storage | Allow |
| 3105 | Azure_EventHub_OUT | Any | Any | [ASE Subnet] | EventHub | Allow |
| 3106 | NTP_OUT | 123 | Any | [ASE Subnet] | Any | Allow |
| 3107 | Monitoring_OUT | 12000 | Any | [ASE Subnet] | Any | Allow |
| 3901 | Internal_OUT | Any | Any | [ASE Subnet] | 10.158.11.0/24 | Allow |
| 4096 | DENY_ALL_OUT | Any | Any | Any | Any | Deny |
NSG Flow Logs
The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.
Route Table
A route table needs to be associated with the ASE subnet, to enable required external traffic to be inspected via a firewall. There are several inbound endpoints that are used to manage an ASE. Several routes need to be created for Management IP addresses, this prevents asymmetric routing issues, the traffic does not actually leave the Azure Fabric, but is not routed via the firewall.
Routes
The following routes need to be added to the route table to cause internet bound traffic to be routed via the external firewall, and to prevent a circular routing reference for Azure service.
| Name | Address prefix | Next hop |
| ASE-13.64.115.203 | 13.64.115.203/32 | Internet |
| ASE-23.100.226.236 | 23.100.226.236/32 | Internet |
| ASE-40.90.240.166 | 40.90.240.166/32 | Internet |
| ASE-40.91.126.196 | 40.91.126.196/32 | Internet |
| ASE-40.119.4.111 | 40.119.4.111/32 | Internet |
| ASE-40.124.47.188 | 40.124.47.188/32 | Internet |
| ASE-52.162.80.89 | 52.162.80.89/32 | Internet |
| ASE-65.52.14.230 | 65.52.14.230/32 | Internet |
| ASE-65.52.193.203 | 65.52.193.203/32 | Internet |
| ASE-70.37.89.222 | 70.37.89.222/32 | Internet |
| ASE-104.43.242.137 | 104.43.242.137/32 | Internet |
| ASE-104.214.49.0 | 104.214.49.0/32 | Internet |
| ASE-157.55.176.93 | 157.55.176.93/32 | Internet |
| ASE-104.208.54.11 | 104.208.54.11/32 | Internet |
| ASE-104.211.146.128 | 104.211.146.128/32 | Internet |
| ASE-104.211.81.64 | 104.211.81.64/32 | Internet |
| ASE-104.44.129.141 | 104.44.129.141/32 | Internet |
| ASE-104.44.129.243 | 104.44.129.243/32 | Internet |
| ASE-104.44.129.255 | 104.44.129.255/32 | Internet |
| ASE-104.44.134.255 | 104.44.134.255/32 | Internet |
| ASE-13.66.140.0 | 13.66.140.0/32 | Internet |
| ASE-13.67.8.128 | 13.67.8.128/32 | Internet |
| ASE-13.69.227.128 | 13.69.227.128/32 | Internet |
| ASE-13.69.64.128 | 13.69.64.128/32 | Internet |
| ASE-13.70.73.128 | 13.70.73.128/32 | Internet |
| ASE-13.71.170.64 | 13.71.170.64/32 | Internet |
| ASE-13.71.194.129 | 13.71.194.129/32 | Internet |
| ASE-13.75.127.117 | 13.75.127.117/32 | Internet |
| ASE-13.75.34.192 | 13.75.34.192/32 | Internet |
| ASE-13.77.50.128 | 13.77.50.128/32 | Internet |
| ASE-13.78.109.0 | 13.78.109.0/32 | Internet |
| ASE-13.89.171.0 | 13.89.171.0/32 | Internet |
| ASE-13.94.141.115 | 13.94.141.115/32 | Internet |
| ASE-13.94.143.126 | 13.94.143.126/32 | Internet |
| ASE-13.94.149.179 | 13.94.149.179/32 | Internet |
| ASE-157.55.208.185 | 157.55.208.185/32 | Internet |
| ASE-191.233.203.64 | 191.233.203.64/32 | Internet |
| ASE-191.236.154.88 | 191.236.154.88/32 | Internet |
| ASE-20.36.106.128 | 20.36.106.128/32 | Internet |
| ASE-20.36.114.64 | 20.36.114.64/32 | Internet |
| ASE-23.102.135.246 | 23.102.135.246/32 | Internet |
| ASE-23.102.188.65 | 23.102.188.65/32 | Internet |
| ASE-40.112.242.192 | 40.112.242.192/32 | Internet |
| ASE-40.69.106.128 | 40.69.106.128/32 | Internet |
| ASE-40.70.146.128 | 40.70.146.128/32 | Internet |
| ASE-40.71.13.64 | 40.71.13.64/32 | Internet |
| ASE-40.74.100.64 | 40.74.100.64/32 | Internet |
| ASE-40.78.194.128 | 40.78.194.128/32 | Internet |
| ASE-40.79.130.64 | 40.79.130.64/32 | Internet |
| ASE-40.79.178.128 | 40.79.178.128/32 | Internet |
| ASE-40.83.120.64 | 40.83.120.64/32 | Internet |
| ASE-40.83.121.56 | 40.83.121.56/32 | Internet |
| ASE-40.83.125.161 | 40.83.125.161/32 | Internet |
| ASE-51.140.146.64 | 51.140.146.64/32 | Internet |
| ASE-51.140.210.128 | 51.140.210.128/32 | Internet |
| ASE-52.151.25.45 | 52.151.25.45/32 | Internet |
| ASE-52.162.106.192 | 52.162.106.192/32 | Internet |
| ASE-52.165.152.214 | 52.165.152.214/32 | Internet |
| ASE-52.165.153.122 | 52.165.153.122/32 | Internet |
| ASE-52.165.154.193 | 52.165.154.193/32 | Internet |
| ASE-52.165.158.140 | 52.165.158.140/32 | Internet |
| ASE-52.174.22.21 | 52.174.22.21/32 | Internet |
| ASE-52.178.177.147 | 52.178.177.147/32 | Internet |
| ASE-52.178.184.149 | 52.178.184.149/32 | Internet |
| ASE-52.178.190.65 | 52.178.190.65/32 | Internet |
| ASE-52.178.195.197 | 52.178.195.197/32 | Internet |
| ASE-52.187.56.50 | 52.187.56.50/32 | Internet |
| ASE-52.187.59.251 | 52.187.59.251/32 | Internet |
| ASE-52.187.63.19 | 52.187.63.19/32 | Internet |
| ASE-52.187.63.37 | 52.187.63.37/32 | Internet |
| ASE-52.224.105.172 | 52.224.105.172/32 | Internet |
| ASE-52.225.177.153 | 52.225.177.153/32 | Internet |
| ASE-52.231.146.128 | 52.231.146.128/32 | Internet |
| ASE-52.231.18.64 | 52.231.18.64/32 | Internet |
| ASE-65.52.172.237 | 65.52.172.237/32 | Internet |
| ASE-70.37.57.58 | 70.37.57.58/32 | Internet |
| Default | 0.0.0.0/0 | [Firewall] |
Application Gateway Setup
The Application Gateway should be configured to permit end to end encryption with the backend pool being the Internal Load balancer IP address of the ASE. This Application Gateway needs to be a WAF tier with the Web Application Firewall (WAF) enabled and configured with Prevention mode.
Logging
Logging should be configured on the Application Gateway. This logging should be configured to save its logs, ideally to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the following logs to the appropriate Log Analytics Workspace
- ApplicationGatewayAccessLog
- ApplicationGatewayFirewallLog
Network Security Group
A Network Security Group should be associated with the Application Gateway subnet, with the following rules.
Inbound rules
| Priority | Name | Port | Protocol | Source | Destination |
|
| 101 | HTTPS_IN | 443 | TCP | 10.0.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 | [AppGateway Subnet] |
|
| 4096 | AppGatewayHealth-IN | 65200-65535 | TCP | internet | [AppGateway Subnet] |
|
| 4096 | DENY_ALL_IN | Any | Any | Any | Any |
|
Outbound rules
| Priority | Name | Port | Protocol | Source | Destination | Action |
| 101 | HTTPS-OUT | 443 | TCP | [AppGateway Subnet] | [ASE Subnet] | Allow |
| 3901 | Internal_OUT | Any | Any | [AppGateway Subnet] | [AppGateway Subnet] | Allow |
| 4096 | DENY_ALL_OUT | Any | Any | Any | Any | Deny |
NSG Flow Logs
The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.
Firewall Setup
To permit the required access to external hosted services for ASE the following rules need to be added to a firewall device, details included here are for an Azure Firewall. For rules need for other firewall types please see appendix I.
Application rule collection
A new Application rule collection needs to be created, to provide access to the following FQDN tags, in order to permit the management of the ASE.
FQDN tags
| Name | Source type | Source | FQDN tags |
| AppService | IP Address | [ASE Subnet] | WindowsUpdate AppServiceEnvironment |
Network rule Collection
A new Network Collection needs to be created, which provides the ASE with access to NTP and Azure Monitor services.
IP Addresses
| Name | Protocol | Source Type | Source | Destination Type | Destination | Port(s) |
| NTP | Any | IP Addresss | [ASE Subnet] | IP Address | * | 123 |
| NTP-Issues | Any | IP Address | [ASE Subnet] | IP Address | * | 12000 |
Service Tags
| Name | Protocol | Source type | Source | Service Tag(s) | Port(s) |
| AzureMonitor | TCP | IP Address | [ASE Subnet] | AzureMonitor | 81,443,12000 |