Securing an App Service Environment (ASE)

Following on from my previous post about Network Security Groups, this post is about securing an App Service Environment. An Application Gateway with Web Application Firewall (WAF) is also included to provide additional protection by providing the Web Application Gateway functionality. This works by inspecting the traffic and providing defence against the OWASP top 10 threats. WAF on Application Gateway is based on
Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

The aim of this post is to explain how to configure the ASE, Application Gateway, and Outbound Firewall to control traffic flow. It is not designed to describe the core setup and configuration of these resources, nor is it designed to describe the deployment of specific Web App Services or Function Apps.

External access can also be facilitated by using an externally facing firewall, which can use NAT to redirect traffic to the front-end interface of the Application Gateway.

Figure 1, High level resource deployment

Figure 2, Traffic flow via Application Gateway

Application Service Environment Setup

Logging

The ASE should be configured to save any logs and send these to a SIEM tool for monitoring and alerting. Ideally this would be to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the AppServiceEnvironmentPlatformLogs to an appropriate Log Analytics Workspace.

ASE Subnet

The following service endpoints need to be added to the subnet used by the ASE.

  • Microsoft.EventHub
  • Microsoft.KeyVault
  • Microsoft.ServiceBus
  • Microsoft.SQL
  • Microsoft.Storage
  • Microsoft.Web

Network Security Group

A Network Security Group to be associated with the ASE subnet to restrict traffic to only the minimum required sources and destinations. The tables below provide the core rules which should be applied to this NSG to assure a ‘Deny by Default’ approach.

There are a few external, outbound dependencies that are almost entirely defined with FQDNs. These services do not have a static addresses behind them, as a result Network Security Groups cannot be used to lock down the outbound traffic. One solution to securing outbound addresses to these endpoints, would be to use a layer 7 firewall device. This firewall can then control outbound traffic based on FQDNs. An Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.

Inbound rules

Priority Name Port Protocol Source Destination Action
101 HTTPS_IN 443 TCP [AppGateway Subnet] [ASE Subnet] Allow
3001 AppManagement_IN 454,455 Any AppServiceManagement [ASE Subnet] Allow
3901 Internal_IN Any Any [ASE Subnet] [ASE Subnet] Allow
4094 AzureLoadBalancer-IN Any Any AzureLoadBalancer [ASE Subnet] Allow
4096 DENY_ALL_IN Any Any Any Any Deny

Outbound rules

Priority Name Port Protocol Source Destination Action
101 HTTPS-OUT 80,443 TCP [ASE Subnet] Any Allow
3101 Azure_SQL_OUT 1433 Any [ASE Subnet] Sql Allow
3102 AzureSQLManagement_OUT 1433 Any [ASE Subnet] SqlManagement Allow
3103 Azure_Storage_OUT Any Any [ASE Subnet] Storage Allow
3105 Azure_EventHub_OUT Any Any [ASE Subnet] EventHub Allow
3106 NTP_OUT 123 Any [ASE Subnet] Any Allow
3107 Monitoring_OUT 12000 Any [ASE Subnet] Any Allow
3901 Internal_OUT Any Any [ASE Subnet] 10.158.11.0/24 Allow
4096 DENY_ALL_OUT Any Any Any Any Deny

NSG Flow Logs

The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.

Route Table

A route table needs to be associated with the ASE subnet, to enable required external traffic to be inspected via a firewall. There are several inbound endpoints that are used to manage an ASE. Several routes need to be created for Management IP addresses, this prevents asymmetric routing issues, the traffic does not actually leave the Azure Fabric, but is not routed via the firewall.

Routes

The following routes need to be added to the route table to cause internet bound traffic to be routed via the external firewall, and to prevent a circular routing reference for Azure service.

Name Address prefix Next hop
ASE-13.64.115.203 13.64.115.203/32 Internet
ASE-23.100.226.236 23.100.226.236/32 Internet
ASE-40.90.240.166 40.90.240.166/32 Internet
ASE-40.91.126.196 40.91.126.196/32 Internet
ASE-40.119.4.111 40.119.4.111/32 Internet
ASE-40.124.47.188 40.124.47.188/32 Internet
ASE-52.162.80.89 52.162.80.89/32 Internet
ASE-65.52.14.230 65.52.14.230/32 Internet
ASE-65.52.193.203 65.52.193.203/32 Internet
ASE-70.37.89.222 70.37.89.222/32 Internet
ASE-104.43.242.137 104.43.242.137/32 Internet
ASE-104.214.49.0 104.214.49.0/32 Internet
ASE-157.55.176.93 157.55.176.93/32 Internet
ASE-104.208.54.11 104.208.54.11/32 Internet
ASE-104.211.146.128 104.211.146.128/32 Internet
ASE-104.211.81.64 104.211.81.64/32 Internet
ASE-104.44.129.141 104.44.129.141/32 Internet
ASE-104.44.129.243 104.44.129.243/32 Internet
ASE-104.44.129.255 104.44.129.255/32 Internet
ASE-104.44.134.255 104.44.134.255/32 Internet
ASE-13.66.140.0 13.66.140.0/32 Internet
ASE-13.67.8.128 13.67.8.128/32 Internet
ASE-13.69.227.128 13.69.227.128/32 Internet
ASE-13.69.64.128 13.69.64.128/32 Internet
ASE-13.70.73.128 13.70.73.128/32 Internet
ASE-13.71.170.64 13.71.170.64/32 Internet
ASE-13.71.194.129 13.71.194.129/32 Internet
ASE-13.75.127.117 13.75.127.117/32 Internet
ASE-13.75.34.192 13.75.34.192/32 Internet
ASE-13.77.50.128 13.77.50.128/32 Internet
ASE-13.78.109.0 13.78.109.0/32 Internet
ASE-13.89.171.0 13.89.171.0/32 Internet
ASE-13.94.141.115 13.94.141.115/32 Internet
ASE-13.94.143.126 13.94.143.126/32 Internet
ASE-13.94.149.179 13.94.149.179/32 Internet
ASE-157.55.208.185 157.55.208.185/32 Internet
ASE-191.233.203.64 191.233.203.64/32 Internet
ASE-191.236.154.88 191.236.154.88/32 Internet
ASE-20.36.106.128 20.36.106.128/32 Internet
ASE-20.36.114.64 20.36.114.64/32 Internet
ASE-23.102.135.246 23.102.135.246/32 Internet
ASE-23.102.188.65 23.102.188.65/32 Internet
ASE-40.112.242.192 40.112.242.192/32 Internet
ASE-40.69.106.128 40.69.106.128/32 Internet
ASE-40.70.146.128 40.70.146.128/32 Internet
ASE-40.71.13.64 40.71.13.64/32 Internet
ASE-40.74.100.64 40.74.100.64/32 Internet
ASE-40.78.194.128 40.78.194.128/32 Internet
ASE-40.79.130.64 40.79.130.64/32 Internet
ASE-40.79.178.128 40.79.178.128/32 Internet
ASE-40.83.120.64 40.83.120.64/32 Internet
ASE-40.83.121.56 40.83.121.56/32 Internet
ASE-40.83.125.161 40.83.125.161/32 Internet
ASE-51.140.146.64 51.140.146.64/32 Internet
ASE-51.140.210.128 51.140.210.128/32 Internet
ASE-52.151.25.45 52.151.25.45/32 Internet
ASE-52.162.106.192 52.162.106.192/32 Internet
ASE-52.165.152.214 52.165.152.214/32 Internet
ASE-52.165.153.122 52.165.153.122/32 Internet
ASE-52.165.154.193 52.165.154.193/32 Internet
ASE-52.165.158.140 52.165.158.140/32 Internet
ASE-52.174.22.21 52.174.22.21/32 Internet
ASE-52.178.177.147 52.178.177.147/32 Internet
ASE-52.178.184.149 52.178.184.149/32 Internet
ASE-52.178.190.65 52.178.190.65/32 Internet
ASE-52.178.195.197 52.178.195.197/32 Internet
ASE-52.187.56.50 52.187.56.50/32 Internet
ASE-52.187.59.251 52.187.59.251/32 Internet
ASE-52.187.63.19 52.187.63.19/32 Internet
ASE-52.187.63.37 52.187.63.37/32 Internet
ASE-52.224.105.172 52.224.105.172/32 Internet
ASE-52.225.177.153 52.225.177.153/32 Internet
ASE-52.231.146.128 52.231.146.128/32 Internet
ASE-52.231.18.64 52.231.18.64/32 Internet
ASE-65.52.172.237 65.52.172.237/32 Internet
ASE-70.37.57.58 70.37.57.58/32 Internet
Default 0.0.0.0/0 [Firewall]

Application Gateway Setup

The Application Gateway should be configured to permit end to end encryption with the backend pool being the Internal Load balancer IP address of the ASE. This Application Gateway needs to be a WAF tier with the Web Application Firewall (WAF) enabled and configured with Prevention mode.

Logging

Logging should be configured on the Application Gateway. This logging should be configured to save its logs, ideally to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the following logs to the appropriate Log Analytics Workspace

  • ApplicationGatewayAccessLog
  • ApplicationGatewayFirewallLog

Network Security Group

A Network Security Group should be associated with the Application Gateway subnet, with the following rules.

Inbound rules

Priority Name Port Protocol Source Destination
  • Action
101 HTTPS_IN 443 TCP 10.0.0.0.0/8,

172.16.0.0/12,

192.168.0.0/16

[AppGateway Subnet]
  • Allow
4096 AppGatewayHealth-IN 65200-65535 TCP internet [AppGateway Subnet]
  • Allow
4096 DENY_ALL_IN Any Any Any Any
  • Deny

Outbound rules

Priority Name Port Protocol Source Destination Action
101 HTTPS-OUT 443 TCP [AppGateway Subnet] [ASE Subnet] Allow
3901 Internal_OUT Any Any [AppGateway Subnet] [AppGateway Subnet] Allow
4096 DENY_ALL_OUT Any Any Any Any Deny

NSG Flow Logs

The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.

Firewall Setup

To permit the required access to external hosted services for ASE the following rules need to be added to a firewall device, details included here are for an Azure Firewall. For rules need for other firewall types please see appendix I.

Application rule collection

A new Application rule collection needs to be created, to provide access to the following FQDN tags, in order to permit the management of the ASE.

FQDN tags

Name Source type Source FQDN tags
AppService IP Address [ASE Subnet] WindowsUpdate

AppServiceEnvironment

Network rule Collection

A new Network Collection needs to be created, which provides the ASE with access to NTP and Azure Monitor services.

IP Addresses

Name Protocol Source Type Source Destination Type Destination Port(s)
NTP Any IP Addresss [ASE Subnet] IP Address * 123
NTP-Issues Any IP Address [ASE Subnet] IP Address * 12000

Service Tags

Name Protocol Source type Source Service Tag(s) Port(s)
AzureMonitor TCP IP Address [ASE Subnet] AzureMonitor 81,443,12000

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.