Share via

How is it possible to block unwanted traffic in the FTPS of an app service?

ROBSON DA SILVA PEDROSO 0 Reputation points
2024-04-30T15:09:26.3066667+00:00

I recently came across a requirement from the security team, stating that the use of the FTPS feature in the environment's app services would be insecure, as they can receive public traffic in a productive environment. I would like to know what security options in Azure I can adopt for this app service that hosts public websites. Is there any safer way to send and update files from the website hosted on this webapp?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,982 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 5,126 Reputation points
    2024-04-30T16:25:46.1433333+00:00

    Hi Robson,

    There are some best practice that you can follow to make more secure your app service (https://learn.microsoft.com/en-us/azure/app-service/app-service-best-practices / https://learn.microsoft.com/en-us/azure/app-service/overview-security), besides that if your use case require use ftp here some suggestions:

    1. Enforce FTPS: In Azure portal, select your app’s resource page, select Configuration > General settings, and set FTP state to ‘FTPS Only’.
    2. Disable FTPS if not used: In Azure portal, select your app’s resource page, select Configuration > General settings, and set FTP state to ‘Disabled’ if you don’t use FTP deployment.
    3. Use Azure Storage: Create an Azure Storage Account, attach a file share to the app service and mount it. This allows you to manage files in a centralized and secure manner.
    4. Secure Your App: Enforce HTTPS, disable outdated protocols like TLS 1.0, use FTPS over FTP, and add access restrictions to your app.
    5. Use Deployment Center: In Azure portal, select your app’s resource page, select Deployment Center, and specify FTPS credentials. This allows you to manage deployments in a secure manner.
    6. Use CI/CD tool to deploy your web application like azure devops or github actions.

    References:

    If the information helped address your question, please Accept the answer.

    Luis

    0 comments
  2. Lex Li (Microsoft) 4,742 Reputation points Microsoft Employee
    2024-05-01T03:39:11.8566667+00:00

    FTPS deployment is only secure if both control channel and data channel are secured. You can review your FTPS client settings or use a tool like Wireshark to confirm if you have applied the proper configuration.

    There are other deployment methods for you to choose. For example, you can host the source code privately on Azure Repos and then deploy continuously to App Service via Azure Pipelines,

    https://learn.microsoft.com/en-us/azure/app-service/deploy-azure-pipelines?tabs=yaml

    0 comments