Security controls for Azure Spring Apps Service
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✔️ Basic/Standard ✔️ Enterprise
Security controls are built into Azure Spring Apps Service.
A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities. For each control, we use Yes or No to indicate whether it is currently in place for the service. We use N/A for a control that is not applicable to the service.
Data protection security controls
Security control | Yes/No | Notes | Documentation |
---|---|---|---|
Server-side encryption at rest: Microsoft-managed keys | Yes | User uploaded source and artifacts, config server settings, app settings, and data in persistent storage are stored in Azure Storage, which automatically encrypts the content at rest. Config server cache, runtime binaries built from uploaded source, and application logs during the application lifetime are saved to Azure managed disk, which automatically encrypts the content at rest. Container images built from user uploaded source are saved in Azure Container Registry, which automatically encrypts the image content at rest. |
Azure Storage encryption for data at rest Server-side encryption of Azure managed disks Container image storage in Azure Container Registry |
Encryption in transient | Yes | User app public endpoints use HTTPS for inbound traffic by default. | |
API calls encrypted | Yes | Management calls to configure Azure Spring Apps service occur via Azure Resource Manager calls over HTTPS. | Azure Resource Manager |
Customer Lockbox | Yes | Provide Microsoft with access to relevant customer data during support scenarios. | Customer Lockbox for Microsoft Azure |
Network access security controls
Security control | Yes/No | Notes | Documentation |
---|---|---|---|
Service Tag | Yes | Use AzureSpringCloud service tag to define outbound network access controls on network security groups or Azure Firewall, to allow traffic to applications in Azure Spring Apps. | Service tags |