Azure App Service - How to block MsDeploy.axd on port 8172

van Boheemen, Matthew 1 Reputation point
2020-05-20T23:50:20.007+00:00

We have an App Service running in Azure that hosts a website. We've recently had a security review on the web site and one of the items found was that the end point below was exposed.

https://<appName>.azurewebsites.net:8172/msdeploy.axd

The recommendation is that this end point should be blocked and using a whitelist to allow limited access (e.g. the build machine that deploys to Azure). How do I block this end point?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,326 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. SnehaAgrawal-MSFT 20,241 Reputation points
    2020-05-21T07:21:05.74+00:00

    @van Boheemen, Matthew Thanks for asking question! Inbound and outbound network traffic on a subnet is controlled using a network security group. Controlling inbound traffic requires creating network security rules in a network security group, and then assigning the network security group the subnet containing the App Service Environment. Once a network security group is assigned to a subnet, inbound traffic to apps in the App Service Environment is allowed/blocked based on the allow and deny rules defined in the network security group.

    Reference: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-control-inbound-traffic#outbound-connectivity-and-dns-requirements.

    You may refer below document, which describes regarding Outbound network address with ASE:
    https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-network-architecture-overview#outbound-network-addresses.

    Also, you could use IP restrictions in App Services or you can connect to a WebApp from IIS manager and config Restrict IP:

    https://blogs.msdn.microsoft.com/benjaminperkins/2016/03/02/how-to-setup-ip-security-restrictions-for-an-azure-app-service/

    Using web.config to restrict IP manually is also a way.

    Reference: https://stackoverflow.com/questions/41958723/how-to-restrict-access-to-an-app-service-using-a-setting-inside-the-azure-portal.


  2. Ryan Hill 26,866 Reputation points Microsoft Employee
    2020-05-21T16:27:27.347+00:00

    There isn't a way to disable this port @van Boheemen, Matthew . The port is to allow variations of msdeploy to work. I will note that the port in question is only allowed for authenticated users publising from Visual Studio so there isn't any risk as long as your team is practicing good account protection.

    0 comments No comments

  3. van Boheemen, Matthew 1 Reputation point
    2020-05-26T22:45:48.683+00:00

    After discussions with Microsoft support it appears that port 8172 is enabled for backwards compatibility with old versions of MsDeploy. This port is being phased out and will be open sometimes and not other times.

    The fix was for us to create a new resource group, app service plan and app services multiple times until we ended up a server that had the port closed. This was frustrating but ultimately it did resolve the issue.

    0 comments No comments