Securing an App Service Environment (ASE)

Following on from my previous post about Network Security Groups, this post is about securing an App Service Environment. An Application Gateway with Web Application Firewall (WAF) is also included to provide additional protection by providing the Web Application Gateway functionality. This works by inspecting the traffic and providing defence against the OWASP top 10 threats. WAF on Application Gateway is based on
Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

The aim of this post is to explain how to configure the ASE, Application Gateway, and Outbound Firewall to control traffic flow. It is not designed to describe the core setup and configuration of these resources, nor is it designed to describe the deployment of specific Web App Services or Function Apps.

External access can also be facilitated by using an externally facing firewall, which can use NAT to redirect traffic to the front-end interface of the Application Gateway.

Figure 1, High level resource deployment


Figure 2, Traffic flow via Application Gateway

Application Service Environment Setup

Logging

The ASE should be configured to save any logs and send these to a SIEM tool for monitoring and alerting. Ideally this would be to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the AppServiceEnvironmentPlatformLogs to an appropriate Log Analytics Workspace.

ASE Subnet

The following service endpoints need to be added to the subnet used by the ASE.

  • Microsoft.EventHub
  • Microsoft.KeyVault
  • Microsoft.ServiceBus
  • Microsoft.SQL
  • Microsoft.Storage
  • Microsoft.Web

Network Security Group

A Network Security Group to be associated with the ASE subnet to restrict traffic to only the minimum required sources and destinations. The tables below provide the core rules which should be applied to this NSG to assure a ‘Deny by Default’ approach.

There are a few external, outbound dependencies that are almost entirely defined with FQDNs. These services do not have a static addresses behind them, as a result Network Security Groups cannot be used to lock down the outbound traffic. One solution to securing outbound addresses to these endpoints, would be to use a layer 7 firewall device. This firewall can then control outbound traffic based on FQDNs. An Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.

Inbound rules

PriorityNamePortProtocolSourceDestinationAction
101HTTPS_IN443TCP[AppGateway Subnet][ASE Subnet]Allow
3001AppManagement_IN454,455AnyAppServiceManagement[ASE Subnet]Allow
3901Internal_INAnyAny[ASE Subnet][ASE Subnet]Allow
4094AzureLoadBalancer-INAnyAnyAzureLoadBalancer[ASE Subnet]Allow
4096DENY_ALL_INAnyAnyAnyAnyDeny

Outbound rules

PriorityNamePortProtocolSourceDestinationAction
101HTTPS-OUT80,443TCP[ASE Subnet]AnyAllow
3101Azure_SQL_OUT1433Any[ASE Subnet]SqlAllow
3102AzureSQLManagement_OUT1433Any[ASE Subnet]SqlManagementAllow
3103Azure_Storage_OUTAnyAny[ASE Subnet]StorageAllow
3105Azure_EventHub_OUTAnyAny[ASE Subnet]EventHubAllow
3106NTP_OUT123Any[ASE Subnet]AnyAllow
3107Monitoring_OUT12000Any[ASE Subnet]AnyAllow
3901Internal_OUTAnyAny[ASE Subnet]10.158.11.0/24Allow
4096DENY_ALL_OUTAnyAnyAnyAnyDeny

NSG Flow Logs

The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.

Route Table

A route table needs to be associated with the ASE subnet, to enable required external traffic to be inspected via a firewall. There are several inbound endpoints that are used to manage an ASE. Several routes need to be created for Management IP addresses, this prevents asymmetric routing issues, the traffic does not actually leave the Azure Fabric, but is not routed via the firewall.

Routes

The following routes need to be added to the route table to cause internet bound traffic to be routed via the external firewall, and to prevent a circular routing reference for Azure service.

NameAddress prefixNext hop
ASE-13.64.115.20313.64.115.203/32Internet
ASE-23.100.226.23623.100.226.236/32Internet
ASE-40.90.240.16640.90.240.166/32Internet
ASE-40.91.126.19640.91.126.196/32Internet
ASE-40.119.4.11140.119.4.111/32Internet
ASE-40.124.47.18840.124.47.188/32Internet
ASE-52.162.80.8952.162.80.89/32Internet
ASE-65.52.14.23065.52.14.230/32Internet
ASE-65.52.193.20365.52.193.203/32Internet
ASE-70.37.89.22270.37.89.222/32Internet
ASE-104.43.242.137104.43.242.137/32Internet
ASE-104.214.49.0104.214.49.0/32Internet
ASE-157.55.176.93157.55.176.93/32Internet
ASE-104.208.54.11104.208.54.11/32Internet
ASE-104.211.146.128104.211.146.128/32Internet
ASE-104.211.81.64104.211.81.64/32Internet
ASE-104.44.129.141104.44.129.141/32Internet
ASE-104.44.129.243104.44.129.243/32Internet
ASE-104.44.129.255104.44.129.255/32Internet
ASE-104.44.134.255104.44.134.255/32Internet
ASE-13.66.140.013.66.140.0/32Internet
ASE-13.67.8.12813.67.8.128/32Internet
ASE-13.69.227.12813.69.227.128/32Internet
ASE-13.69.64.12813.69.64.128/32Internet
ASE-13.70.73.12813.70.73.128/32Internet
ASE-13.71.170.6413.71.170.64/32Internet
ASE-13.71.194.12913.71.194.129/32Internet
ASE-13.75.127.11713.75.127.117/32Internet
ASE-13.75.34.19213.75.34.192/32Internet
ASE-13.77.50.12813.77.50.128/32Internet
ASE-13.78.109.013.78.109.0/32Internet
ASE-13.89.171.013.89.171.0/32Internet
ASE-13.94.141.11513.94.141.115/32Internet
ASE-13.94.143.12613.94.143.126/32Internet
ASE-13.94.149.17913.94.149.179/32Internet
ASE-157.55.208.185157.55.208.185/32Internet
ASE-191.233.203.64191.233.203.64/32Internet
ASE-191.236.154.88191.236.154.88/32Internet
ASE-20.36.106.12820.36.106.128/32Internet
ASE-20.36.114.6420.36.114.64/32Internet
ASE-23.102.135.24623.102.135.246/32Internet
ASE-23.102.188.6523.102.188.65/32Internet
ASE-40.112.242.19240.112.242.192/32Internet
ASE-40.69.106.12840.69.106.128/32Internet
ASE-40.70.146.12840.70.146.128/32Internet
ASE-40.71.13.6440.71.13.64/32Internet
ASE-40.74.100.6440.74.100.64/32Internet
ASE-40.78.194.12840.78.194.128/32Internet
ASE-40.79.130.6440.79.130.64/32Internet
ASE-40.79.178.12840.79.178.128/32Internet
ASE-40.83.120.6440.83.120.64/32Internet
ASE-40.83.121.5640.83.121.56/32Internet
ASE-40.83.125.16140.83.125.161/32Internet
ASE-51.140.146.6451.140.146.64/32Internet
ASE-51.140.210.12851.140.210.128/32Internet
ASE-52.151.25.4552.151.25.45/32Internet
ASE-52.162.106.19252.162.106.192/32Internet
ASE-52.165.152.21452.165.152.214/32Internet
ASE-52.165.153.12252.165.153.122/32Internet
ASE-52.165.154.19352.165.154.193/32Internet
ASE-52.165.158.14052.165.158.140/32Internet
ASE-52.174.22.2152.174.22.21/32Internet
ASE-52.178.177.14752.178.177.147/32Internet
ASE-52.178.184.14952.178.184.149/32Internet
ASE-52.178.190.6552.178.190.65/32Internet
ASE-52.178.195.19752.178.195.197/32Internet
ASE-52.187.56.5052.187.56.50/32Internet
ASE-52.187.59.25152.187.59.251/32Internet
ASE-52.187.63.1952.187.63.19/32Internet
ASE-52.187.63.3752.187.63.37/32Internet
ASE-52.224.105.17252.224.105.172/32Internet
ASE-52.225.177.15352.225.177.153/32Internet
ASE-52.231.146.12852.231.146.128/32Internet
ASE-52.231.18.6452.231.18.64/32Internet
ASE-65.52.172.23765.52.172.237/32Internet
ASE-70.37.57.5870.37.57.58/32Internet
Default0.0.0.0/0[Firewall]

Application Gateway Setup

The Application Gateway should be configured to permit end to end encryption with the backend pool being the Internal Load balancer IP address of the ASE. This Application Gateway needs to be a WAF tier with the Web Application Firewall (WAF) enabled and configured with Prevention mode.

Logging

Logging should be configured on the Application Gateway. This logging should be configured to save its logs, ideally to the Log Analytics Workspace used by Sentinel. This is achieved by adding a new Diagnostic setting which is configured to send the following logs to the appropriate Log Analytics Workspace

  • ApplicationGatewayAccessLog
  • ApplicationGatewayFirewallLog

Network Security Group

A Network Security Group should be associated with the Application Gateway subnet, with the following rules.

Inbound rules

PriorityNamePortProtocolSourceDestination
  • Action
101HTTPS_IN443TCP10.0.0.0.0/8,

172.16.0.0/12,

192.168.0.0/16

[AppGateway Subnet]
  • Allow
4096AppGatewayHealth-IN65200-65535TCPinternet[AppGateway Subnet]
  • Allow
4096DENY_ALL_INAnyAnyAnyAny
  • Deny

Outbound rules

PriorityNamePortProtocolSourceDestinationAction
101HTTPS-OUT443TCP[AppGateway Subnet][ASE Subnet]Allow
3901Internal_OUTAnyAny[AppGateway Subnet][AppGateway Subnet]Allow
4096DENY_ALL_OUTAnyAnyAnyAnyDeny

NSG Flow Logs

The NSG should be configured to save the NSG flow logs to a storage account. Ideally these logs should then be ingested by a SIEM tool.

Firewall Setup

To permit the required access to external hosted services for ASE the following rules need to be added to a firewall device, details included here are for an Azure Firewall. For rules need for other firewall types please see appendix I.

Application rule collection

A new Application rule collection needs to be created, to provide access to the following FQDN tags, in order to permit the management of the ASE.

FQDN tags

NameSource typeSourceFQDN tags
AppServiceIP Address[ASE Subnet]WindowsUpdate

AppServiceEnvironment

Network rule Collection

A new Network Collection needs to be created, which provides the ASE with access to NTP and Azure Monitor services.

IP Addresses

NameProtocolSource TypeSourceDestination TypeDestinationPort(s)
NTPAnyIP Addresss[ASE Subnet]IP Address*123
NTP-IssuesAnyIP Address[ASE Subnet]IP Address*12000

Service Tags

NameProtocolSource typeSourceService Tag(s)Port(s)
AzureMonitorTCPIP Address[ASE Subnet]AzureMonitor81,443,12000