- Knowledge Base
- Microsoft Azure
- Container Apps
- Disable Public Network Access
Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.
Risk Level: High (not acceptable risk)
Ensure that public network access to Microsoft Azure Container Apps is disabled in order to enhance security by preventing unauthorized access.
Security
When an Azure Container App is publicly accessible (i.e., with no IP rules defined), all hosts and networks, including the Internet, can access the Container App. This increases the risk of unauthorized access, potential security breaches, and compliance violations. To limit access to specific, trusted networks, you should enable and configure IP-based ingress restrictions for your Container Apps. This allows traffic only from trusted IP addresses, preventing unauthorized access attempts and protecting your sensitive resources and their associated data. Alternatively, you can limit ingress access to the internal Container Apps environment only.
Azure Container Apps must have HTTP ingress configured to enable HTTP/2.
Audit
To determine whether public network access to your Azure Container Apps is disabled, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.
05 Click on the name (link) of the Azure Container App that you want to examine.
06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App.
07 In the Ingress section, check the Ingress traffic configuration setting to determine whether the selected Container App is configured to allow ingress traffic from the Internet. If Ingress traffic is set to Accepting traffic from anywhere, external ingress traffic is enabled for the selected Azure Container App, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process ends here.
08 In the IP Restrictions section, check the IP Security Restrictions Mode setting to identify any allow/deny rules configured to control traffic to your Container App. If IP Security Restrictions Mode is set to Allow all traffic (default), the public network access to the selected Microsoft Azure Container App is not disabled.
09 Repeat steps no. 5 - 8 for each Azure Container App deployed in the selected Azure subscription.
10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
["abcdabcd-1234-abcd-1234-abcdabcdabcd","abcd1234-abcd-1234-abcd-abcd1234abcd"]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Container App available in the selected subscription:
az containerapp list--output table--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested Container App names:
Name ResourceGroup------------------------- ------------------------------tm-project5-container-app cloud-shell-storage-westeuropetm-project5-openai-app cloud-shell-storage-westeurope
06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to determine if the selected Container App is configured to allow ingress traffic from the Internet:
az containerapp show--name tm-project5-container-app--resource-group cloud-shell-storage-westeurope--query '{externalIngressTraffic:properties.configuration.ingress.external}'
07 The command output should return the network ingress type configured for the selected resource (true for enabling external traffic, false for disabling external traffic). If the containerapp show command output returns true for the "externalIngressTraffic" attribute value, external ingress traffic is enabled for the selected Azure Container App, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process ends here:
{"externalIngressTraffic": true}
08 Run containerapp ingress access-restriction list command (OSX/Linux/UNIX) to list the IP access restrictions configured for the selected Azure Container App:
az containerapp ingress access-restriction list--name tm-project5-container-app--resource-group cloud-shell-storage-westeurope
09 The command output should return the list of allow/deny IP rules configured to control traffic to your Container App:
[]
If the containerapp ingress access-restriction list command output returns an empty array (i.e., []), there are no IP rules defined for the resource, therefore, the selected Azure Container App will accept traffic from any address (i.e., allows public network access).
10 Repeat step no. 6 - 9 for each Azure Container App available within the current Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To disable public network access to your Microsoft Azure Container Apps and configure IP ingress restrictions, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.
05 Click on the name (link) of the Azure Container App that you want to configure.
06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App. Azure Container Apps provides HTTPS and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment.
07 On the Ingress configuration page, perform the following actions:
- Ensure that the Ingress setting checkbox is checked to enable ingress network traffic.
- For Ingress traffic, choose whether to allow only internal traffic from within your Container App's environment or to accept traffic from both the public Internet and your Container App's internal environment.
- For Ingress type, choose between HTTP or TCP traffic, depending on your app requirements.
- Configure the additional network settings such as transport protocol, client certificate mode, target port, exposed port or session affinity, based on the ingress type (HTTP or TCP), chosen at the previous step.
- Set IP Security Restrictions Mode to Allow traffic from IPs configured below, deny all other traffic to limit inbound traffic to your Container App by configuring IP access restrictions. Choose Add, enter the trusted, authorized IP address/IP address range (in CIDR notation) that can access your Container App in the IPv4 address range box, provide a name and a short description for the new IP rule, and choose Add.
- Choose Save to apply the configuration changes.
08 Repeat steps no. 5 - 7 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
["abcdabcd-1234-abcd-1234-abcdabcdabcd","abcd1234-abcd-1234-abcd-abcd1234abcd"]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 IP-based restrictions can be implemented for Azure Container Apps that provide ingress network access. Azure Container Apps provides HTTPS and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment. To ensure that ingress traffic is enabled for your Container App, run containerapp ingress enable command (OSX/Linux/UNIX):
az containerapp ingress enable--name tm-project5-container-app--resource-group cloud-shell-storage-westeurope--type external--transport http2--target-port 443
05 The command output should return the ingress information available for the selected Container App:
{"additionalPortMappings": null,"allowInsecure": false,"clientCertificateMode": "Ignore","corsPolicy": null,"customDomains": null,"exposedPort": 0,"external": true,"fqdn": "tm-project5-container-app.calmground-abcd1234.westeurope.azurecontainerapps.io","ipSecurityRestrictions": null,"stickySessions": {"affinity": "none"},"targetPort": 443,"traffic": [{"latestRevision": true,"weight": 100}],"transport": "http2"}
06 Run containerapp ingress access-restriction set command (OSX/Linux/UNIX) to restrict inbound access to the IP address/IP address range specified by the --ip-address parameter. As an example, the following IP rule will allow traffic from the IPv4 address specified by --ip-address and deny all other traffic:
az containerapp ingress access-restriction set--name tm-project5-container-app--resource-group cloud-shell-storage-westeurope--rule-name tm-project5-dev-ip--ip-address 192.168.0.35/32--description "Allow trusted, authorized access for development purposes"--action Allow
07 The command output should return the information available for the newly created IP rule:
[{"action": "Allow","description": "Allow trusted, authorized access for development purposes","ipAddressRange": "192.168.0.35/32","name": "tm-project5-dev-ip"}]
08 You can also limit inbound access to the internal Container Apps environment only. Run containerapp ingress update command (OSX/Linux/UNIX) to restrict traffic to the specified Container App from within the Container App environment, by setting the --type parameter to internal:
az containerapp ingress update--name tm-project5-container-app--resource-group cloud-shell-storage-westeurope--type internal
09 The command output should return the new ingress information available for the selected Container App:
{"additionalPortMappings": null,"allowInsecure": false,"clientCertificateMode": "Ignore","corsPolicy": null,"customDomains": null,"exposedPort": 0,"external": false,"fqdn": "tm-project5-container-app.calmground-abcd1234.westeurope.azurecontainerapps.io","ipSecurityRestrictions": null,"stickySessions": {"affinity": "none"},"targetPort": 0,"traffic": [{"latestRevision": true,"weight": 100}],"transport": "Auto"}
10 Repeat steps no. 4 - 9 for each Azure Container App that you want to configure, available within the current subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Networking in Azure Container Apps environment
- Ingress in Azure Container Apps
- Set up IP ingress restrictions in Azure Container Apps
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az containerapp list
- az containerapp show
- az containerapp ingress enable
- az containerapp ingress update
- az containerapp ingress access-restriction list
- az containerapp ingress access-restriction set
Publication date Nov 20, 2024
Related ContainerApps rules
- Enable Diagnostic Logs for Container Apps Environments (Security, reliability, operational-excellence, cost-optimisation, performance-efficiency)
- Disable Public Network Access (Security)
- Enable Authentication and Authorization with Microsoft Entra ID (Security, operational-excellence)
- Check for Azure Container Apps that Allow Insecure Traffic (Security)