Hi @Vitor Leitao adding to Patchfox's answer -
Currently there is no way to disable or block the default open ports like 1221 and 8172 on an Azure App Service without an Application Gateway or some other external firewall.
The reason is that these ports are required for internal App Service functionality and platform management. They allow probes from the Azure load balancer, log streaming, and other monitoring.
Some options to consider:
- Implement an Azure Application Gateway as you mentioned. This allows specifying only necessary ports.
- Use IP restrictions at the app level to only allow your organization's IP ranges. This doesn't block the ports but limits access.
- Move the App Service into an App Service Environment (ASE) in a subnet with Network Security Group rules to control inbound traffic.
- Use an external firewall device or service like Azure Firewall to create more restrictive rules.
- Switch to Azure Functions which gives you more control over open ports.
- Document the required platform ports as exceptions for the scanner.
So unfortunately without changing the core architecture, there is no way currently to disable the default open ports in App Service. An external firewall is required for full control.