question

LarsRinde-3233 avatar image
LarsRinde-3233 asked ·

Following "Access to App Services should be restricted" recommendation for public App service

We have some app services that are private (and have IP restrictions applied), but some are supposed to be publicly accessible. I would like to keep the recommendation rule active on the subscription level, but can't find a way to solve it or suppress for our public services. The recommendation text itself also only seem to refer to the case where you want to disable public access.

azure-webapps
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
ryanchill answered ·

Hi @LarsRinde-3233, sincerest apologies for the delayed response. To suppress your recommendation rules, have a look at https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy#disable-security-policies and let me know if this is helpful or not.

Having said that, while it's definitely not required, the recommended rule can in-fact be applied to your public facing services by placing a WAF on either Azure Front Door or App Gateway so traffic is forced through the WAF.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Ryan, thank you for your response. However, as I stated in the question "I would like to keep the recommendation rule active on the subscription level", and as I understand the linked documentation it is specifically for disabling on the subscription level?

Some recommendation classes are dismissable on a case-by-case basis, but not the Security-related recommendations as far as I can tell.

Regarding placing an App Gateway or similar I looked into that, but the cost would be very prohibitive in our case. I would think it should be possible to use App Services for public-facing API:s without additional services?

0 Votes 0 · ·