Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure App Configuration provides capabilities to centrally manage application settings and feature flags with point-in-time configuration snapshots. When deploying this service, it's important to follow security best practices to protect data, configurations, and infrastructure.
This article provides guidance on how to best secure your Azure App Configuration deployment.
Network security
Network security controls prevent unauthorized access to App Configuration stores and establish secure communication boundaries for configuration data access.
Enable private endpoints: Eliminate public internet exposure by routing traffic through your virtual network using Azure Private Link. Private endpoints provide dedicated network interfaces that connect directly to App Configuration while preventing data exfiltration risks. See Use private endpoints for Azure App Configuration.
Disable public network access: Block all internet-based connections when using private endpoints to prevent unauthorized access attempts and reduce your attack surface. Configure the service to deny public network access and force all communication through private endpoints. See Disable public access in Azure App Configuration.
Configure network security groups for private endpoint subnets: When using private endpoints, apply Network Security Groups to the subnets (NSGs) hosting the private endpoints to control traffic flow. Enable network policies on the private endpoint subnet and implement restrictive NSG rules to allow only necessary traffic to reach the App Configuration private endpoints. See Manage network policies for private endpoints.
Identity and access management
Identity and access management controls ensure that only authorized users and applications can access App Configuration resources with appropriate permissions for configuration data operations.
Use Microsoft Entra ID authentication: Replace access keys with Microsoft Entra ID authentication to leverage centralized identity management, conditional access policies, and advanced security features. This provides better audit trails and eliminates long-lived secrets. See Access Azure App Configuration using Microsoft Entra ID.
Implement role-based access control (RBAC): Assign users and applications the minimum required permissions using built-in roles such as App Configuration Data Reader or App Configuration Data Owner rather than using administrative roles. See Azure built-in roles for Azure App Configuration.
Enable managed identities: Configure system-assigned or user-assigned managed identities for applications to access App Configuration without storing credentials in code or configuration files. Managed identities provide automatic credential rotation and enhanced security. See How to use managed identities for Azure App Configuration.
Disable access key authentication: Turn off access key authentication to enforce Microsoft Entra ID authentication for all configuration data access. This eliminates the risk of compromised access keys and provides centralized identity management. See Disable access key authentication.
Rotate access keys regularly: When access key authentication is required, implement regular key rotation to limit exposure from compromised credentials. Use both primary and secondary keys to enable seamless rotation without service interruption. See Access Azure App Configuration using access keys.
Data protection
Data protection mechanisms safeguard configuration information through encryption, key management, and secure storage practices for application settings and feature flags.
Enable customer-managed keys for encryption: Configure customer-managed key (CMK) encryption using Azure Key Vault to maintain control over encryption keys for configuration data at rest. This provides additional protection beyond Microsoft-managed encryption and helps meet strict compliance requirements. See Use customer-managed keys to encrypt your App Configuration data.
Implement Key Vault integration: Use Azure Key Vault integration to store and manage secrets and certificates as Key Vault references rather than storing them directly in App Configuration. This provides centralized secret management with hardware-level encryption, granular access policies, expiration management, and management operations such as certificate rotation. See Tutorial: Use Key Vault references in an ASP.NET Core app.
Configure automatic secret reload: Set up automatic reloading of secrets and certificates from Key Vault to ensure applications always use current values without manual intervention. This reduces operational overhead while maintaining security. See Reload secrets and certificates from Key Vault automatically.
Ensure encryption in transit: Verify all communications use TLS 1.2 or higher encryption for data in transit between applications and App Configuration endpoints. All endpoints enforce TLS encryption by default to protect configuration data and API communications. See Azure App Configuration security baseline.
Logging and monitoring
Comprehensive logging and monitoring provide visibility into App Configuration operations, access patterns, and security events to enable threat detection and compliance oversight.
Enable diagnostic logging: Configure diagnostic settings to collect App Configuration resource logs and metrics for security monitoring and compliance auditing. Send diagnostic data to Azure Monitor Logs, storage accounts, or Event Hubs for centralized analysis and retention. See Monitor Azure App Configuration.
Monitor access patterns and configure alerts: Track configuration retrieval requests, modification events, and access frequencies to detect anomalous usage patterns that might indicate security threats or unauthorized access attempts. Set up Azure Monitor alerts to automatically notify you of suspicious activities such as failed authentication attempts, unusual request patterns, throttling events, and configuration modifications. This enables rapid response to potential security incidents through real-time monitoring and automated alerting. See Monitor Azure App Configuration and Monitoring App Configuration data reference.
Enable Azure Activity Log monitoring: Monitor Azure Activity Log for App Configuration resource changes, administrative actions, and control plane operations. Configure alerts for critical changes such as network access modifications or authentication setting updates. See Activity log in Azure Monitor.
Monitor authentication and authorization failures: Set up monitoring and alerts for HTTP 401 (Unauthenticated) and 403 (Forbidden) responses to detect common security configuration issues. 401 errors often indicate invalid or rotated access keys that haven't been updated in production applications, while 403 errors typically signal missing or incorrect role assignments for identities accessing App Configuration. Configure automated alerts for these error patterns to enable rapid detection and resolution of authentication and authorization problems. See Monitor Azure App Configuration and Monitoring App Configuration data reference.
Compliance and governance
Compliance and governance controls ensure App Configuration deployments meet regulatory requirements and organizational policies through proper configuration management and audit capabilities.
Apply Azure Policy definitions: Use Azure Policy to enforce security configurations and monitor compliance across App Configuration resources. Apply built-in policies for private link usage, access key restrictions, and encryption requirements. See Azure Policy Regulatory Compliance controls for Azure App Configuration.
Implement resource tagging: Apply consistent resource tags to App Configuration stores for cost management, security monitoring, compliance tracking, and governance. Use tags to identify data classification, owner information, and regulatory requirements. See Azure Policy Regulatory Compliance controls for Azure App Configuration.
Configure conditional access policies: Implement Microsoft Entra conditional access policies to control access to App Configuration based on user identity, location, device compliance, and risk level when using Microsoft Entra ID authentication. See Azure security baseline for Azure App Configuration.
Monitor security compliance with Azure Policy: Use Microsoft Defender for Cloud's regulatory compliance dashboard to track Azure Policy compliance with security baselines and receive recommendations for App Configuration security configurations. While there is no dedicated Defender plan for App Configuration, the service monitors policy compliance and configuration drift. See Azure Policy Regulatory Compliance controls for Azure App Configuration.
Maintain audit trails: Ensure comprehensive audit logging captures all configuration changes, access attempts, and administrative actions for regulatory compliance and security investigations using diagnostic settings and activity logs. See Monitor Azure App Configuration.
Backup and recovery
Backup and recovery strategies protect App Configuration data and ensure business continuity through proper disaster recovery planning and geo-replication capabilities.
Enable geo-replication for high availability: Create replicas of your App Configuration store across multiple Azure regions to provide redundancy and ensure availability during regional outages. Geo-replication automatically synchronizes configuration data across regions. See Geo-replication overview.
Implement automatic failover mechanisms: Configure App Configuration provider libraries to automatically fail over between replicas during outages to maintain application availability without manual intervention. This provides seamless continuity for configuration-dependent applications. See Enable geo-replication.
Deploy across regions and availability zones: Provision App Configuration stores in regions with Azure availability zone support to provide resilience against datacenter outages with automatic zone redundancy. Deploy replicas in regions where your applications run to minimize latency, distribute request load, and enhance resiliency against transient failures and regional outages. See Migrate App Configuration to a region with availability zone support and Resiliency and disaster recovery.
Create configuration snapshots: Use point-in-time snapshots to create immutable configuration versions that can be used for rollback scenarios and safe deployment practices. Snapshots provide guaranteed consistency and enable rapid recovery from configuration errors. See Snapshots.
Enable soft-delete protection: Soft-delete is automatically enabled for all Standard and Premium tier App Configuration stores to protect against accidental deletion, retaining deleted stores for a recovery period and allowing restoration of the entire store and its configuration data. For enhanced security, consider enabling purge protection, which prevents permanently deleting (purging) a soft-deleted store during the retention period. This provides additional protection against malicious deletion attempts and is especially important for production environments where configuration data is critical to application functionality. See Recover deleted stores in Azure App Configuration.
Service-specific security
App Configuration provides unique security capabilities designed specifically for configuration management, feature flag operations, and application settings protection.
Implement safe deployment practices: Use configuration snapshots and progressive deployment models to minimize the blast radius of configuration changes. Build and test snapshots before production deployment and maintain last-known-good configurations for rapid rollback. See Azure App Configuration best practices.
Separate secrets from configuration data: Store secrets and certificates like connection strings, API keys, and certificates in Azure Key Vault and reference them from App Configuration rather than storing them directly. Key Vault provides hardware-level encryption, granular access policies, expiration management, and management operations such as certificate rotation. Use App Configuration for application settings, feature flags, and other configuration data that benefits from centralized management and point-in-time snapshots. See Tutorial: Use Key Vault references in an ASP.NET Core app.
Configure Azure Resource Manager authentication mode: Set your App Configuration store's Azure Resource Manager authentication mode to Pass-through for automated deployments. This mode requires a combination of data plane and Azure Resource Manager management roles for data access, enables proper auditing attribution to deployment callers, and is essential for secure infrastructure-as-code deployments. Avoid the Local authentication mode which has auditing limitations and security constraints. See Deployment overview.