Block inbound Ports for Azure Web App

Question

Block inbound Ports for Azure Web App

APTOS 221

Hello ,

i have a azure wep app hosted on a basic app service plan with no vnet integration was configured.this app is reached from internet .

i need to blcok some inbound traffic .please guide how to do this without impacting the web app

Regards

VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-12T01:39:22.4266667+00:00

@APTOS Thanks for reaching out to Microsoft Q&A.

You can leverage the feature Access restrictions in app service. Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to inbound access only.

Using Access restrictions, you can limit the public access to your site or kudu site and also these supports to block the inbound traffic based on the Ip Matched rules, service endpoint based or by using service tags.

Refer to this documentation for more information about Access restrictions in App service and how it works and creation of rules in access restrictions.

Feel free to reach back to me if you have any further questions on this.
APTOS 221 Reputation points

2023-12-12T14:11:38.36+00:00

Hi ,

i can't see how to block ports here .i can just block IPs with access restrictions

Regards
VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-12T16:10:45.2433333+00:00

@APTOS Thanks for your response. Sorry for the confusion here yes, using Access restrictions we can block the inbound traffic based on matched rules.
Could you please help more information which inbound ports you want to block on app service? and also from where you see that particular port is open state.
APTOS 221 Reputation points

2023-12-12T16:14:53.2066667+00:00

Hello @VenkateshDodda-MSFT

these ports are reviewed by our security team after their scan

tcp ports are : 8172 and 4022

regards

Accepted answer

0 additional answers

Your answer

VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-12T01:39:22.4266667+00:00

@APTOS Thanks for reaching out to Microsoft Q&A.

You can leverage the feature Access restrictions in app service. Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to inbound access only.

Using Access restrictions, you can limit the public access to your site or kudu site and also these supports to block the inbound traffic based on the Ip Matched rules, service endpoint based or by using service tags.

Refer to this documentation for more information about Access restrictions in App service and how it works and creation of rules in access restrictions.

Feel free to reach back to me if you have any further questions on this.
APTOS 221 Reputation points

2023-12-12T14:11:38.36+00:00

Hi ,

i can't see how to block ports here .i can just block IPs with access restrictions

Regards
VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-12T16:10:45.2433333+00:00

@APTOS Thanks for your response. Sorry for the confusion here yes, using Access restrictions we can block the inbound traffic based on matched rules.
Could you please help more information which inbound ports you want to block on app service? and also from where you see that particular port is open state.
APTOS 221 Reputation points

2023-12-12T16:14:53.2066667+00:00

Hello @VenkateshDodda-MSFT

these ports are reviewed by our security team after their scan

tcp ports are : 8172 and 4022

regards

Answer 1

VenkateshDodda-MSFT 25,111 Microsoft Employee Moderator

@APTOS Thanks for sharing more information about the ports.

Port 4022 is used for remote debugging and port 8172 is for web deploy service.

If your app service is running on multi-tenant app service plan (on any of these plans Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKU) and when you scan your app service you find several inbound App service ports are exposed and there is no way to block these ports.

Here is the list of inbounds ports which are exposed.

User's image

Refer to this documentation for more information about networking features in app services.

Feel free to reach back to me if you have any further questions on this.

APTOS 221 Reputation points

2023-12-12T16:43:21.7266667+00:00

Hello @VenkateshDodda-MSFT

Thanks its clear.

could we change our design to run our web app to single Tenant without impacting the production and then we can control the inbound Trafic ? please share the steps if it's possible .

Regards
VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-13T06:54:45.66+00:00

APTOS Thanks for your follow up questions.

Unfortunately, you cannot move the apps that are in multi-tenant to single tenant you need to build it from the scratch.

By default, Azure deploys each new App Service plan into a deployment unit, internally called a webspace. Each region can have many webspaces, but your app can only move between plans that are created in the same webspace. Premium and ASE(isolated) plan will be in different webspace hence moving it is not possible.

To know more, you can refer to this documentation about move app service plan.

In App Service Environment(ASE), you have full control over inbound and outbound traffic. You can use Network Security Groups to restrict or block specific ports.

An ASE always exists in a virtual network, and more precisely, within a subnet of a virtual network. You can use the security features of virtual networks to control inbound and outbound network communications for your apps.

Refer to this documentation for more information about inbound and outbound port dependencies in app service environment.
APTOS 221 Reputation points

2023-12-15T10:47:42.8+00:00

Hello @VenkateshDodda-MSFT

it's not possible to create an App Gateway or vNet integration to this web app and then create NSG rules to block these ports ?

Regards
VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-12-18T06:32:44.89+00:00

APTOS Thanks for your follow-up question, if your app service is integrated with application gateway using the NSG you can block the inbound ports.

If the user try to access the application through app gateway, then it is possible and if the user by-pass the gateway and he tries to access application directly then block the ports won't be possible.

Share via

Block inbound Ports for Azure Web App

0 additional answers

Your answer