Azure security baseline for Application Gateway

This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Application Gateway. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Application Gateway.

Note

Controls not applicable to Application Gateway, or for which the responsibility is Microsoft's, have been excluded. To see how Application Gateway completely maps to the Azure Security Benchmark, see the full Application Gateway security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

1.1: Protect Azure resources within virtual networks

Guidance: Ensure that all Virtual Network Azure Application Gateway subnet deployments have a network security group (NSG) applied with network access controls specific to your application's trusted ports and sources. While network security groups are supported on Azure Application Gateway, there are some restrictions and requirements that must be adhered to in order for your NSG and Azure Application Gateway to function as expected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All Internet traffic should be routed via your deployed Azure Firewall Microsoft Defender for Cloud has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0

1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

Guidance: For the network security groups (NSGs) associated with your Azure Application Gateway subnets, enable NSG flow logs and send logs into a Storage Account for traffic audit. You may also send NSG flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Note: There are some cases where NSG flow logs associated with your Azure Application Gateway subnets won't show traffic that has been allowed. If your configuration matches following scenario, you won't see allowed traffic in your NSG flow logs:

  • You've deployed Application Gateway v2
  • You have an NSG on the application gateway subnet
  • You've enabled NSG flow logs on that NSG

For additional information, see the references below.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

1.3: Protect critical web applications

Guidance: Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) is a service (feature of Azure Application Gateway) that provides centralized protection of your web applications from common exploits and vulnerabilities. Azure WAF can help secure your Azure App Service web apps by inspecting inbound web traffic to block attacks such as SQL injections, Cross-Site Scripting, malware uploads, and DDoS attacks. WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.4: Deny communications with known-malicious IP addresses

Guidance: Enable DDoS Standard protection on your Azure Virtual Networks associated with your production instances of Azure Application Gateway to guard against DDoS attacks. Use Microsoft Defender for Cloud Integrated Threat Intelligence to deny communications with known malicious IP addresses.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All Internet traffic should be routed via your deployed Azure Firewall Microsoft Defender for Cloud has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0

1.5: Record network packets

Guidance: For the network security groups (NSGs) associated with your Azure Application Gateway subnets, enable NSG flow logs and send logs into a Storage Account for traffic audit. You may also send NSG flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Note: There are some cases where NSG flow logs associated with your Azure Application Gateway subnets won't show traffic that has been allowed. If your configuration matches following scenario, you won't see allowed traffic in your NSG flow logs:

  • You've deployed Application Gateway v2
  • You have an NSG on the application gateway subnet
  • You've enabled NSG flow logs on that NSG

For additional information, see the references below.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

Guidance: Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) is a service (feature of Azure Application Gateway) that provides centralized protection of your web applications from common exploits and vulnerabilities. Azure WAF can help secure your Azure App Service web apps by inspecting inbound web traffic to block attacks such as SQL injections, Cross-Site Scripting, malware uploads, and DDoS attacks. WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Alternatively, there are multiple marketplace options like the Barracuda WAF for Azure that are available on the Azure Marketplace which includes IDS/IPS features.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.7: Manage traffic to web applications

Guidance: Deploy Azure Application Gateway for web applications with HTTPS/SSL enabled for trusted certificates.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.8: Minimize complexity and administrative overhead of network security rules

Guidance: Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., GatewayManager) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

For the network security groups (NSGs) associated with your Azure Application Gateway subnets, you must allow incoming Internet traffic on TCP ports 65503-65534 for the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any and source as GatewayManager service tag. This port range is required for Azure infrastructure communication. These ports are protected (locked down) by Azure certificates. External entities, including the customers of those gateways, can't communicate on these endpoints.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.9: Maintain standard security configurations for network devices

Guidance: Define and implement standard security configurations for network settings related to your Azure Application Gateway deployments. Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the network configuration of your Azure Application Gateways, Azure Virtual Networks, and network security groups. You may also make use of built-in policy definition.

You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure role-based access control (Azure RBAC), and policies in a single blueprint definition. You can easily apply the blueprint to new subscriptions, environments, and fine-tune control and management through versioning.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.10: Document traffic configuration rules

Guidance: Use Tags for network security groups (NSGs) associated with your Azure Application Gateway subnet as well as any other resources related to network security and traffic flow. For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

Use any of the built-in Azure policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

You may use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their Tags.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

1.11: Use automated tools to monitor network resource configurations and detect changes

Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network settings and resources related to your Azure Application Gateway deployments. Create alerts within Azure Monitor that will trigger when changes to critical network settings or resources take place.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Monitoring

For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2: Configure central security log management

Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure Application Gateway and related resources, such as network security groups (NSGs), being used to protect the Azure Application Gateway subnet.

In addition to Activity Logs, you can configure diagnostic settings for your Azure Application Gateway deployments. diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice (Storage Accounts, Event Hubs and Log Analytics).

Azure Application Gateway also offers built-in integration with Azure Application Insights. Application Insights collects log, performance, and error data. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your web apps are being used. You may enable continuous export to export telemetry from Application Insights into a centralized location to keep the data for longer than the standard retention period.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

2.3: Enable audit logging for Azure resources

Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure Application Gateway and related resources, such as network security groups (NSGs), being used to protect the Azure Application Gateway subnet.

In addition to Activity Logs, you can configure diagnostic settings for your Azure Application Gateway deployments. diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice (Storage Accounts, Event Hubs and Log Analytics).

Azure Application Gateway also offers built-in integration with Azure Application Insights. Application Insights collects log, performance, and error data. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your web apps are being used. You may enable continuous export to export telemetry from Application Insights into a centralized location to keep the data for longer than the standard retention period.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

2.5: Configure security log storage retention

Guidance: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

2.6: Monitor and review logs

Guidance: Enable Azure Activity Log diagnostic settings as well as the diagnostic settings for your Azure Application Gateway and send the logs to a Log Analytics workspace. Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the collected data.

Use Azure Monitor for Networks for a comprehensive view of health and metrics for all deployed network resources, including your Azure Application Gateways.

Optionally, you may enable and on-board data to Microsoft Sentinel or a third-party SIEM.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

2.7: Enable alerts for anomalous activities

Guidance: Deploy Azure Web Application Firewall (WAF) v2 SKU in front of critical web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) is a service (feature of Azure Application Gateway) that provides centralized protection of your web applications from common exploits and vulnerabilities. Azure WAF can help secure your Azure App Service web apps by inspecting inbound web traffic to block attacks such as SQL injections, Cross-Site Scripting, malware uploads, and DDoS attacks. WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Enable Azure Activity Log diagnostic settings as well as the diagnostic settings for your Azure WAF and send the logs to a Log Analytics workspace. Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the collected data. You can create alerts based on your Log Analytics workspace queries.

Use Azure Monitor for Networks for a comprehensive view of health and metrics for all deployed network resources, including your Azure Application Gateways. Within the Azure Monitor for Networks console, you can view and create alerts for Azure Application Gateway.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

2.8: Centralize anti-malware logging

Guidance: Deploy Azure Web Application Firewall (WAF) v2 in front of critical web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) is a service (feature of Azure Application Gateway) that provides centralized protection of your web applications from common exploits and vulnerabilities. Azure WAF can help secure your Azure App Service web apps by inspecting inbound web traffic to block attacks such as SQL injections, Cross-Site Scripting, malware uploads, and DDoS attacks.

Configure diagnostic settings for your Azure Application Gateway deployments. diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice (Storage Accounts, Event Hubs and Log Analytics).

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Identity and Access Control

For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1: Maintain an inventory of administrative accounts

Guidance: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.2: Change default passwords where applicable

Guidance: Control plane access to Azure Application Gateway is controlled through Azure Active Directory (Azure AD). Azure AD does not have the concept of default passwords.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.3: Use dedicated administrative accounts

Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Microsoft Defender for Cloud Identity and Access Management to monitor the number of administrative accounts.

Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Microsoft Defender for Cloud or built-in Azure Policies, such as:

  • There should be more than one owner assigned to your subscription
  • Deprecated accounts with owner permissions should be removed from your subscription
  • External accounts with owner permissions should be removed from your subscription

For additional information, see the references below.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.4: Use Azure Active Directory single sign-on (SSO)

Guidance: Use an Azure app registration (service principal) to retrieve a token that can be used to interact with your Azure Application Gateways via API calls.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.5: Use multi-factor authentication for all Azure Active Directory-based access

Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Microsoft Defender for Cloud Identity and Access Management recommendations.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.6: Use secure, Azure-managed workstations for administrative tasks

Guidance: Use PAWs (privileged access workstations) with multifactor authentication configured to log into and configure Azure resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.7: Log and alert on suspicious activities from administrative accounts

Guidance: Use Azure Active Directory (Azure AD) security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Microsoft Defender for Cloud to monitor identity and access activity.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.8: Manage Azure resources from only approved locations

Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.9: Use Azure Active Directory

Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.10: Regularly review and reconcile user access

Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.11: Monitor attempts to access deactivated credentials

Guidance: You have access to Azure Active Directory (Azure AD) Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.

You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

3.12: Alert on account sign-in behavior deviation

Guidance: Use Azure Active Directory (Azure AD) Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Microsoft Sentinel for further investigation.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

4.1: Maintain an inventory of sensitive Information

Guidance: Use Tags to assist in tracking Azure resources that store or process sensitive information.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

4.2: Isolate systems storing or processing sensitive information

Guidance: Implement separate subscriptions and/or management groups for development, test, and production. Ensure that all Virtual Network Azure Application Gateway subnet deployments have a network security group (NSG) applied with network access controls specific to your application's trusted ports and sources. While network security groups are supported on Azure Application Gateway, there are some restrictions and requirements that must be adhered to in order for your NSG and Azure Application Gateway to function as expected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

4.3: Monitor and block unauthorized transfer of sensitive information

Guidance: Ensure that all Virtual Network Azure Application Gateway subnet deployments have a network security group (NSG) applied with network access controls specific to your application's trusted ports and sources. Restrict outbound traffic to only trusted locations to help mitigate the threat of data exfiltration. While network security groups are supported on Azure Application Gateway, there are some restrictions and requirements that must be adhered to in order for your NSG and Azure Application Gateway to function as expected.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

4.4: Encrypt all sensitive information in transit

Guidance: Configure end-to-end encryption with TLS for your Azure Application Gateways.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

4.6: Use Role-based access control to control access to resources

Guidance: Use Azure role-based access control (Azure RBAC) to control access to the Azure Application Gateway control plane (the Azure portal).

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

4.9: Log and alert on changes to critical Azure resources

Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production Azure Application Gateway instances as well as other critical or related resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Vulnerability Management

For more information, see the Azure Security Benchmark: Vulnerability Management.

5.1: Run automated vulnerability scanning tools

Guidance: Currently not available; vulnerability assessment in Microsoft Defender for Cloud is not yet available for Azure Application Gateway.

Underlying platform scanned and patched by Microsoft. Review security controls available for Azure Application Gateway to reduce configuration-related vulnerabilities.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

5.4: Compare back-to-back vulnerability scans

Guidance: Not yet available; vulnerability assessment in Microsoft Defender for Cloud is not yet available for Azure Application Gateway.

Underlying platform scanned and patched by Microsoft. Review security controls available for Azure Application Gateway to reduce configuration-related vulnerabilities.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Guidance: Not yet available; vulnerability assessment in Microsoft Defender for Cloud is not yet available for Azure Application Gateway.

Underlying platform scanned and patched by Microsoft. Review security controls available for Azure Application Gateway to reduce configuration-related vulnerabilities.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Inventory and Asset Management

For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1: Use automated asset discovery solution

Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.2: Maintain asset metadata

Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.3: Delete unauthorized Azure resources

Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

In addition, use Azure policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • Not allowed resource types
  • Allowed resource types

For additional information, see the references below.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.5: Monitor for unapproved Azure resources

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

Use Azure Resource Graph to query/discover resources within their subscription(s). Ensure that all Azure resources present in the environment are approved.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.9: Use only approved Azure services

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • Not allowed resource types
  • Allowed resource types

For additional information, see the references below.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.11: Limit users' ability to interact with Azure Resource Manager

Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

6.13: Physically or logically segregate high risk applications

Guidance: Implement separate subscriptions and/or management groups for development, test, and production. Ensure that all Virtual Network Azure Application Gateway subnet deployments have a network security group (NSG) applied with network access controls specific to your application's trusted ports and sources. While network security groups are supported on Azure Application Gateway, there are some restrictions and requirements that must be adhered to in order for your NSG and Azure Application Gateway to function as expected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Secure Configuration

For more information, see the Azure Security Benchmark: Secure Configuration.

7.1: Establish secure configurations for all Azure resources

Guidance: Define and implement standard security configurations for network settings related to your Azure Application Gateway deployments. Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the network configuration of your Azure Application Gateways, Azure Virtual Networks, and network security groups. You may also make use of built-in policy definition.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.3: Maintain secure Azure resource configurations

Guidance: Use Azure policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.5: Securely store configuration of Azure resources

Guidance: If using custom Azure policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.7: Deploy configuration management tools for Azure resources

Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to alert, audit, and enforce system configurations. Additionally, develop a process and pipeline for managing policy exceptions.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.9: Implement automated configuration monitoring for Azure resources

Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to alert, audit, and enforce system configurations. Use Azure policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.11: Manage Azure secrets securely

Guidance: Use Managed Identities to provide your Azure Application Gateway with an automatically managed identity in Azure Active Directory (Azure AD). Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Use Azure Key Vault to securely store certificates. Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and SSL certificates. Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. This support is limited to the Application Gateway v2 SKU.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.12: Manage identities securely and automatically

Guidance: Use Managed Identities to provide your Azure Application Gateway with an automatically managed identity in Azure Active Directory (Azure AD). Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Use Azure Key Vault to securely store certificates. Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and SSL certificates. Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. This support is limited to the Application Gateway v2 SKU.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

7.13: Eliminate unintended credential exposure

Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Malware Defense

For more information, see the Azure Security Benchmark: Malware Defense.

8.1: Use centrally-managed anti-malware software

Guidance: Deploy Azure Web Application Firewall (WAF) v2 in front of critical web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) is a service (feature of Azure Application Gateway) that provides centralized protection of your web applications from common exploits and vulnerabilities. Azure WAF can help secure your Azure App Service web apps by inspecting inbound web traffic to block attacks such as SQL injections, Cross-Site Scripting, malware uploads, and DDoS attacks.

Configure diagnostic settings for your Azure Application Gateway deployments. diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice (Storage Accounts, Event Hubs and Log Analytics).

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

8.3: Ensure anti-malware software and signatures are updated

Guidance: When using Azure Web Application Firewall (WAF), you can configure WAF policies. A WAF policy consists of two types of security rules: custom rules that are authored by the customer, and managed rule sets that are a collection of Azure-managed pre-configured set of rules. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Data Recovery

For more information, see the Azure Security Benchmark: Data Recovery.

9.1: Ensure regular automated back-ups

Guidance: Azure Application Gateway does not store customer data. However, if using custom Azure policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Azure DevOps Services leverages many of the Azure storage features to ensure data availability in the case of hardware failure, service disruption, or region disaster. Additionally, the Azure DevOps team follows procedures to protect data from accidental or malicious deletion.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

9.2: Perform complete system backups and backup any customer-managed keys

Guidance: Back up customer-managed certificates within Azure Key Vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

9.3: Validate all backups including customer-managed keys

Guidance: Test restoration of backed up customer-managed certificates.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

9.4: Ensure protection of backups and customer-managed keys

Guidance: Ensure that soft delete is enabled for Azure Key Vault. Soft delete allows recovery of deleted key vaults and vault objects such as keys, secrets, and certificates.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Incident Response

For more information, see the Azure Security Benchmark: Incident Response.

10.1: Create an incident response guide

Guidance: Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

10.2: Create an incident scoring and prioritization procedure

Guidance: Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, clearly mark subscriptions (for ex. production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

10.3: Test security response procedures

Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. Identify weak points and gaps and revise plan as needed.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

10.4: Provide security incident contact details and configure alert notifications for security incidents

Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

10.5: Incorporate security alerts into your incident response system

Guidance: Export your Microsoft Defender for Cloud alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

10.6: Automate the response to security alerts

Guidance: Use the Workflow Automation feature in Microsoft Defender for Cloud to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Penetration Tests and Red Team Exercises

For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Next steps