No SSL Certificate for virtual IP address azure app service

Question

Hi,

Our team has recently had a penetration test conducted on our site. All our traffic is routed via an application gateway/WAF and all our infra is on an internal private network. We host our api's and webapps on azure app services (app service public multitenant) so as part of the pen test we provided the public IP address (virtual IP address) for the azure app service for our front end for the test. On our settings for this virtual IP address we “enabled from select virtual networks and ip addresses” and have a rule to deny all traffic to it.

The pen test team have come back and indicated that because this ip address can be addressed it need to have a certificate, even though no domain is associated.

Is it possible to remove this IP address from the app service or is this only available for “App service Environment”. Do we even have any control on what this IP address will return?

Further to this, the request was returning the server header “IIS 10.0”, they’ve indicated they think this is an old version, however my understanding is that this is the core version of IIS not the full version of it. Is there any reference documentation that indicates how Microsoft ensure the IIS server in app services is kept up to date so we can provide this as confirmation to them. I’ve been unable to find anything specific on this last issue in the Microsoft documentation.

Thanks for any help in advance.

Answer 1

Hi @Teasdale, Teddy,

Azure App Services, by default, are assigned public IP addresses to enable external accessibility. Even when restricted, the public IP is still given to the service. Although the removal of this public IP in the default multi-tenant App Service environment is not possible, you can add an added layer of security by applying access restrictions. By setting up these restrictions, you can determine what IP addresses or virtual networks can access your app, effectively preventing unwanted access. Step-by-step instructions on how to set up these restrictions are outlined in Microsoft documentation: https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli
https://learn.microsoft.com/en-us/answers/questions/1531605/my-app-services-all-have-public-ips-i-want-to-bloc

Regarding the issue of the SSL certificate, since your application does not have a custom domain and will not be publicly accessed, the absence of an SSL certificate on the public IP should not be a significant security risk with strict access control. However, if your penetration testing team is adamant that the SSL be turned on, you can include a self-signed certificate to satisfy this requirement.

Azure App Services on Windows use IIS as the underlying web server. The version of this corresponds with the version of Windows Server that the App Service is running on. For instance, IIS 10.0 is associated with Windows Server 2016 and later versions. It's important to note that Microsoft manages the underlying infrastructure of Azure App Services, ensuring that both the operating system and IIS are regularly updated with the latest security patches and improvements. This proactive maintenance helps protect your applications from known vulnerabilities. While the IIS version number may appear static, the platform's components receive continuous updates to maintain security and performance. https://learn.microsoft.com/en-us/azure/app-service/overview-patch-os-runtime

If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Let me know if you have any further Queries.