Disable Ports 1221 and 8172 on a simple Web App Service

Vitor Leitao 0 Reputation points
2023-07-26T11:58:40.7733333+00:00

I have a simple App Service with a .NET app, with no virtual networks, or Application Gateways configured.

During a recent scan, we were flagged for allowing a response from the port 1221 and 8172, which are enabled by default in Azure (https://learn.microsoft.com/en-us/azure/app-service/environment/network-info#inbound-dependencies)

I have tried to find a way to disable these ports without changing to much the architecture of our app and services, but without much success.

Is there a way to disable these, without having to implement an Application Gateway?

All the resources I find seem to point to this being the only way of doing it

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,533 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Patchfox 2,886 Reputation points
    2023-07-27T18:20:02.9966667+00:00

    Hi Vitor Leitao, I want to help you with this question.

    Unfortunately, it is not possible without AppGateway or NetworkInjection of the app (i.e. integration of the Azure app into an Azure VNet to control the IP/port access via Security Groups).


    If the problem is solved for you and all questions are answered, I would be happy if you mark the answer as accepted to close the thread.

    0 comments No comments

  2. Grmacjon-MSFT 14,361 Reputation points
    2023-10-11T22:14:20.2833333+00:00

    Hi @Vitor Leitao adding to Patchfox's answer -

    Currently there is no way to disable or block the default open ports like 1221 and 8172 on an Azure App Service without an Application Gateway or some other external firewall.

    The reason is that these ports are required for internal App Service functionality and platform management. They allow probes from the Azure load balancer, log streaming, and other monitoring.

    Some options to consider:

    • Implement an Azure Application Gateway as you mentioned. This allows specifying only necessary ports.
    • Use IP restrictions at the app level to only allow your organization's IP ranges. This doesn't block the ports but limits access.
    • Move the App Service into an App Service Environment (ASE) in a subnet with Network Security Group rules to control inbound traffic.
    • Use an external firewall device or service like Azure Firewall to create more restrictive rules.
    • Switch to Azure Functions which gives you more control over open ports.
    • Document the required platform ports as exceptions for the scanner.

    So unfortunately without changing the core architecture, there is no way currently to disable the default open ports in App Service. An external firewall is required for full control.

    -Grace