PCI Security Scan Report failing because of Port 1221 Azure Web App Service

Question

PCI Security Scan Report failing because of Port 1221 Azure Web App Service

Joseph Schmucker 81

PayPal is failing my PCI compliance because my Azure Web App shows that there are files which can be crawled to on Port 1221. I have no control over that port. I am aware of this.

I need documentation from Azure to show that access to that port does not allow access to private information.

This is a freaking big deal.

I have a single web application and a single azure SQL server. I don't have any networking setup on azure because I don't need it. I doubt it would help me even if I did.

Shree Hima Bindu Maganti 4,230 Reputation points Microsoft External Staff Moderator

2025-04-18T20:24:20.45+00:00

Hi @Joseph Schmucker
Azure App Service has several ports for inbound connections, including port 1221 for infrastructure purposes. Azure does not offer a way to block or control access to these ports in the multitenant service. However, access to port 1221 does not provide access to private or sensitive data, as it is not meant for user-facing services.
For PCI compliance, you can refer to the Azure documentation that outlines security practices and compliance measures. While the specific documentation regarding Port 1221 may not be available, you can emphasize that Azure's architecture is built to protect applications and their data from external threats.

For more information on the security of Azure App Service and port exposure, refer to the official Azure documentation covering networking features and port purposes.
App Service networking features
https://learn.microsoft.com/en-us/azure/security/fundamentals/overview
https://learn.microsoft.com/en-us/answers/questions/1337314/disable-ports-1221-and-8172-on-a-simple-web-app-se
Let me know if you have any further assistance.
Joseph Schmucker 81 Reputation points

2025-04-19T11:55:35.8866667+00:00

I looked at creating an application gateway. Will that by default block the port? If I have a public IP and I setup listeners on the gateway, I think that port can still be crawled. If I created a Virtual Network and a firewall, would that allow me to block that port? Since my application IP address is public, I am not seeing how I can block someone from seeing port 1221 from my public IP.

Accepted answer

0 additional answers

Your answer

Shree Hima Bindu Maganti 4,230 Reputation points Microsoft External Staff Moderator

2025-04-18T20:24:20.45+00:00

Hi @Joseph Schmucker
Azure App Service has several ports for inbound connections, including port 1221 for infrastructure purposes. Azure does not offer a way to block or control access to these ports in the multitenant service. However, access to port 1221 does not provide access to private or sensitive data, as it is not meant for user-facing services.
For PCI compliance, you can refer to the Azure documentation that outlines security practices and compliance measures. While the specific documentation regarding Port 1221 may not be available, you can emphasize that Azure's architecture is built to protect applications and their data from external threats.

For more information on the security of Azure App Service and port exposure, refer to the official Azure documentation covering networking features and port purposes.
App Service networking features
https://learn.microsoft.com/en-us/azure/security/fundamentals/overview
https://learn.microsoft.com/en-us/answers/questions/1337314/disable-ports-1221-and-8172-on-a-simple-web-app-se
Let me know if you have any further assistance.
Joseph Schmucker 81 Reputation points

2025-04-19T11:55:35.8866667+00:00

I looked at creating an application gateway. Will that by default block the port? If I have a public IP and I setup listeners on the gateway, I think that port can still be crawled. If I created a Virtual Network and a firewall, would that allow me to block that port? Since my application IP address is public, I am not seeing how I can block someone from seeing port 1221 from my public IP.

Answer 1

Hi @Joseph Schmucker
I am glad to hear that the issue was resolved.
You're absolutely right to consider the VIP options in an App Service Environment (ASE) carefully. If you opt for an ASE with an external virtual IP (VIP), it still uses a public IP that can be scanned similarly to the multitenant App Service. If PCI concerns persist, deploying an internal ASE with a private IP accessed via Azure Front Door or an Application Gateway with a WAF is a better option, allowing full control over inbound traffic. It's good to hear that PayPal may accept port 1221 as a false positive, which is common in similar cases.
https://learn.microsoft.com/en-us/azure/app-service/environment/overview
If the answer was helpful Accept the answer so another member who are facing the issue would resolve.
Let me know if you have any further assistances.

Share via

PCI Security Scan Report failing because of Port 1221 Azure Web App Service

0 additional answers

Your answer