Block Ping request to Azure Web Apps

Question

Block Ping request to Azure Web Apps

Rituparna Bhattacharya 20

I have created an Azure Web App and enabled VNET Integration for that. I can able to ping the Web App with default DNS. I want to restrict ICMP Ping request for this Web App. I have assigned a NSG with Subnet but still I can able t ping the App Service. Below is my NSG settings. Is there anyway to block ICMP for Web Apps?
Screenshot 2024-09-25 110050

ajkuma 27,946 Reputation points Microsoft Employee

2024-09-27T17:27:55.6766667+00:00

Rituparna Bhattacharya, Just checking in to see if you had got a chance to see the previous response. If the answer helped (pointed you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.

Accepted answer

0 additional answers

Your answer

ajkuma 27,946 Reputation points Microsoft Employee

2024-09-27T17:27:55.6766667+00:00

Rituparna Bhattacharya, Just checking in to see if you had got a chance to see the previous response. If the answer helped (pointed you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.

Answer 1

Ben Gimblett 4,555 Microsoft Employee

Hi thanks for the question

There's a couple of concepts to be aware of with Web Apps

You can VNET integrate BUT this is for outbound traffic from the web app. For example you deploy a web app and want the code to depend on a service which is private on your network. By enabling VNET integration you can do that. However, VNET integration is one way (outbound flows only). So if you have an NSG on the subnet you integrate with the rules would work only for "outbound".

If you want private access INTO your web app you would need to deploy a private endpoint now you can deploy an NSG with inbound rules. If you dont want any comms on the Public endpoint you should use the "access restrictions" in the network setting to "disable" the public endpoint

Now all that said, you should be able to block ICMP on the private endpoint if your client DNS is resolving to the private ip, but I am unsure if you can block ICMP on the public endpoint (even if you turn off the data plane traffic as described above)
I'll have a look, but I suspect not. The reason for this would be because inbound traffic to app service traverses multi-tenant reverse proxies which listen on a public path which is shared (all customers of the underlying hosting stamp would use the same public inbound IPs as per the IPs listed in the web app properties)

Ben Gimblett 4,555 Reputation points Microsoft Employee

2024-09-25T10:20:30.78+00:00

You cannot block the public endpoint. You can "disable" data plane traffic - so a client/user wont actually be able to use it but you cant prevent ping

This will be for the reason stated above

If you were to use ASE (app service environment) this is in effect "single tenant" and the ingress is in effect via a software load balancer (the front end proxies are not shared) so for ASE you should have full control with NSG on inbound traffic

However ASEv3 has a different pricing model and slightly different behaviours it's close to the multi-tenant service but not exactly the same.
Rituparna Bhattacharya 20 Reputation points

2024-09-30T12:15:12.87+00:00

@Ben Gimblett This is Public website so need to access from outside. I have already tried VNET intgration with NSG. That didn't work. Any help will be appreciated. Also I am facing issue with blocking direct access to Web App behind Application Gateway posted -
https://learn.microsoft.com/en-us/answers/questions/2078704/restrict-web-app-to-use-azure-default-domain
Ben Gimblett 4,555 Reputation points Microsoft Employee

2024-10-01T08:35:16.8633333+00:00

Hi If you are requiring the public endpoint then it's not going to be possible to block ICMP as the software firewall which allows filtering of the public traffic for App Service does not support this

please keep in mind the following:
*VNet integration is for OUTBOUND only , it's for traffic leaving your web app. You can use NSG here, on the subnet used for VNet integration, but only the outbound rules apply
*private endpoint gives an alternative inbound path (you can then optionally turn off the public endpoint). You can use NSG here on the subnet the private endpoint is associated, but only the INBOUND rules apply.
Ben Gimblett 4,555 Reputation points Microsoft Employee

2024-10-01T08:41:31.05+00:00

To your second point about blocking Access to Web App behind an AppGW

You need to deploy the web app with a private endpoint and turn off the public endpoint (if all inbound access should be via the application gateway)

You can then add the FQDN for the private endpoint, or custom name if you're using one, in the backend of the App Gateway (you can also use the private IP assigned to the private endpoint but this is not recommended)

In terms of getting the web app traffic to the Application Gateway you should use a custom domain and have this either CNAME or use an A Record (with the DNS provider) towards the App Gateway public IP

(I have intentionally skipped the steps around App GW configuration for brevity)

The concepts are all discussed in more detail here https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app

Share via

Block Ping request to Azure Web Apps

0 additional answers

Your answer