Audit Publicly Accessible Azure App Services with Azure Policy

5 Min. Read

Today, a common theme in cloud environments is enforcing organizational standards and adopting cloud governance since day one. And this is very important since it will give you the ability to define policies, processes, and procedures. These policies then dictate what can be done and verify that what does exist is correct. A service from Microsoft called Azure Policy is a great way to make that happen and take corrective action.

This article will demonstrate how to audit publicly accessible Azure App Services (Web Apps and Function Apps) with Azure Policy.

Introduction

Azure App Service enables you to build and host web apps, mobile back ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies.

You have a policy in your organization that dictates to audit all new and existing App Services (web applications and functions) within your subscriptions. As you know very well, you should protect your applications from potential threats by restricting access with Network Access Restrictions. If you are NOT using ‘Private Endpoint‘ for Azure Web App which is highly recommended, then by default, your web apps are publicly accessible to the Internet with the default firewall rule “Allow All“.

Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit the exposure of an App Service to the internet.

If you want to keep your Web Apps exposed to the Internet, then you can set up access restrictions, where you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. And when there are one or more entries, an implicit deny all exists at the end of the list.

The access restriction capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. Therefore, access restrictions are effectively networking access control lists (ACLs).

Prerequisites

To follow this article, you need to have the following:

  1. An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. At least one web app or function app is deployed in your subscription.
  3. Last but not least, you need to have the appropriate permissions to create and manage Azure Policy definitions. The Azure RBAC built-in roles that you can use are Resource Policy Contributor or Security Admin.

Assuming you have all the prerequisites in place, take now the following steps:

Create Custom Policy definition

A quick overview of Azure Policy effects. Each policy definition that you create in the Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.

In this example, we need to audit the associated network access rules for all web apps. For this to work, we need to use the “AuditIfNotExists” policy effect. To understand how the Azure Policy effect works with the “AuditIfNotExists” policy definition, please check the official documentation from Microsoft.

Open the Azure Portal, click “All services” and then search for “Policy” and then click on “Definitions” → “+ Policy definition”.

For the “Definition location“, select the location by clicking the ellipsis [] and select either a management group or a subscription.

In the “Name“ field, give a descriptive name for the policy definition such as – “Audit Web Application and Function App without Network Access Restrictions” and Description.

In the “Category” section, select the appropriate category for this policy. In this example, I will choose “App Service” as shown in the figure below.

Create Azure Policy Custom Definition
Create Azure Policy Custom Definition

For the “POLICY RULE“, paste the following policy definition in JSON format and then click “Save“.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        },
        {
          "field": "kind",
          "like": "*"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Web/sites/config",
        "name": "web",
        "existenceCondition": {
          "count": {
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*]",
            "where": {
              "allOf": [
                {
                  "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
                  "in": [
                    "Deny"
                  ]
                },
                {
                  "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].priority",
                  "equals": 2147483647
                }
              ]
            }
          },
          "equals": 1
        }
      }
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  }
}

In this custom policy, I am looking for all kinds of applications (web app, container, windows, and function app), and then I am counting all ipSecurityRestrictions to match both action and priority. Because as soon as you add any firewall rule to restrict access to Web Apps from any IP(s), then a “Deny all” firewall rule with priority number “2147483647” gets added automatically at the end of the list. So by checking the absence of this firewall rule, indicates that the web app is publicly accessible to the Internet without access restriction.

Assign Custom Policy definition

To assign the custom policy definition, take the following steps:

Open the Azure Portal, click “All services” and then search for “Policy” and then click on “Assignments”. An assignment is a policy that has been assigned to take place within a specific scope.

Select “Assign policy” from the top of the “Policy | Assignments” page.

On the “Assign Policy” page, select the Scope by clicking the ellipsis [] and select either a management group or subscription. You can optionally select a resource group if you want. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then click Select at the bottom of the Scope page.

Select the Policy definition ellipsis [] to open the list of available definitions. Choose the custom policy that we created in the previous step. The Policy enforcement is Enabled by default. Click Next to continue.

On the Parameters page, specify the parameters for this policy assignment (Audit or Disabled). The default value is set to “AuditIfNotExists“, you can disable the effect of this policy later on by setting the effect to “Disabled“. Click Next to continue.

Assign Azure Policy Custom Definition
Assign Azure Policy Custom Definition

On the Remediation page, Click Next to continue. In this example, we don’t want to automate the remediation for non-compliant resources. To learn more about the remediation task, please check the following article.

On the Non-compliance messages page, set the desired message. Then click the “Review + create” button.

Azure Policy - Non-compliance message
Azure Policy – Non-compliance message

Finally, click “Create” to create the assignment.

Verify Custom Policy definition

To verify that the custom policy is deployed successfully, you need to wait for at least 30 minutes after a resource has been created or updated. The policy won’t be triggered immediately, this is by design. To trigger the policy compliance scan manually (immediately), open the cloud shell and run the following command:

$job = Start-AzPolicyComplianceScan -AsJob
$job | ft -AutoSize

The scan job will run in the background as shown in the output below.

Trigger Azure Policy Compliance Evaluation Manually
Trigger Azure Policy Compliance Evaluation Manually

Depending on the number of Web Apps that you have, the evaluation should be completed within 10 minutes.

Open the Azure Portal, click “All services” and then search for “Policy” and then click on the “Compliance” blade. Select the assignment that we created in the previous step and audit the compliance state for all resources as shown in the figure below. In this example, I have 2 Web Apps that are NOT compliant.

Azure Policy Compliance Report
Azure Policy Compliance Report

That’s it there you have it!

Summary

In this article, I showed you how to audit Azure Web Apps and Function Apps that do not have Network Access Restrictions rules at the application level, so you can take corrective action to make sure your organization policy and security requirements are met.

To learn more about auditing subnets that do not have Network Security Group (NSG) associated, please check the following step-by-step guide.

To learn more about Azure Policy, please check the official documentation from Microsoft.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Enable Azure Site Recovery (ASR) on VMs using Azure Policy

Enable FTPS on Azure App Services with Azure Policy

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!