Hi techie,
What have you done to check the access controls on your Azure web app?
Here are some suggestions (which I must say I was assisted from Bing to provide):
In addition to the suggestions below, you should be logging all access activity - the logging process is different depending on if this is windows or linux. If you can identify the IPs being used you can block them using Azure Front Door with WAF.
Access Restrictions Overview:
- Access restrictions work with all Azure App Service-hosted workloads, including web apps, API apps, Linux apps, Linux custom containers, and Functions.
- When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list.
- If the FROM address is in a subnet configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access restriction list.
- If the address isn’t allowed access based on the rules in the list, the service replies with an HTTP 403 status code.
- Access restrictions are effectively network access-control lists (ACLs) implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs.
- Setting Up Access Restrictions for Azure App Service: Sign in to the Azure portal.
Select the app that you want to add access restrictions to. On the left menu, choose **Networking**. Under **Inbound traffic configuration**, select the **Public network access** setting. Review the list of access restriction rules defined for your app. If you have a **virtual network restriction**, the table shows whether the service endpoints are enabled for **Microsoft.Web**. If no restrictions are defined and your unmatched rule isn’t set to **Deny**, the app is accessible from anywhere.
Additional Considerations:
Service Endpoints: You can restrict access to your web app from an Azure virtual network using service endpoints. However, this doesn’t work for apps hosted in an App Service Environment. In an App Service Environment, you can control access by applying IP address rules.
**Permissions**: To configure access restrictions through the Azure portal, CLI, or directly in site config properties, you need the following **Role-based access control permissions** on the subnet or at a higher level:
**Microsoft.Network/virtualNetworks/subnets/join/action**
**Microsoft.Network/virtualNetworks/subnets/read**