Security controls for Azure App Service
This article documents the security controls built into Azure App Service.
A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.
For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. We might also provide a note or links to more information about an attribute.
|Service endpoint support||Yes||Available for App Service.||Azure App Service Access Restrictions|
|VNet injection support||Yes||App Service Environments are private implementations of App Service dedicated to a single customer injected into a customer's virtual network.||Introduction to the App Service Environments|
|Network Isolation and Firewalling support||Yes||For the public multi-tenant variation of App Service, customers can configure network ACLs (IP Restrictions) to lock down allowed inbound traffic. App Service Environments are deployed directly into virtual networks and hence can be secured with NSGs.||Azure App Service Access Restrictions|
|Forced tunneling support||Yes||App Service Environments can be deployed into a customer's virtual network where forced tunneling is configured.||Configure your App Service Environment with forced tunneling|
Monitoring & logging
|Azure monitoring support (Log analytics, App insights, etc.)||Yes||App Service integrates with Application Insights for languages that support Application Insights (Full .NET Framework, .NET Core, Java and Node.JS). See Monitor Azure App Service performance. App Service also sends application metrics into Azure Monitor.||Monitor apps in Azure App Service|
|Control and management plane logging and audit||Yes||All management operations performed on App Service objects occur via Azure Resource Manager. Historical logs of these operations are available both in the portal and via the CLI.||Azure Resource Manager resource provider operations, az monitor activity-log|
|Data plane logging and audit||No||The data plane for App Service is a remote file share containing a customer’s deployed web site content. There is no auditing of the remote file share.|
|Authentication||Yes||Customers can build applications on App Service that automatically integrate with Azure Active Directory (Azure AD) as well as other OAuth compatible identity providers For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles.||Authentication and authorization in Azure App Service|
|Authorization||Yes||For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles.||Authentication and authorization in Azure App Service|
|Server-side encryption at rest: Microsoft-managed keys||Yes||Web site file content is stored in Azure Storage, which automatically encrypts the content at rest.
Customer supplied secrets are encrypted at rest. The secrets are encrypted at rest while stored in App Service configuration databases.
Locally attached disks can optionally be used as temporary storage by websites (D:\local and %TMP%). Locally attached disks are not encrypted at rest.
|Azure Storage encryption for data at rest|
|Server-side encryption at rest: customer-managed keys (BYOK)||Yes||Customers can choose to store application secrets in Key Vault and retrieve them at runtime.||Use Key Vault references for App Service and Azure Functions (preview)|
|Column level encryption (Azure Data Services)||N/A|
|Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption )||Yes||Customers can configure web sites to require and use HTTPS for inbound traffic.||How to make an Azure App Service HTTPS only (blog post)|
|API calls encrypted||Yes||Management calls to configure App Service occur via Azure Resource Manager calls over HTTPS.|
|Configuration management support (versioning of configuration, etc.)||Yes||For management operations, the state of an App Service configuration can be exported as an Azure Resource Manager template and versioned over time. For runtime operations, customers can maintain multiple different live versions of an application using the App Service deployment slots feature.|
- Learn more about the built-in security controls across Azure services.