Open techcubs opened 1 year ago
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @antcp, @AzureAppServiceCLI.
I am working on a compliance project to know if there is publicNetworkAccess enabled for public access for a web app
Would love to see what scripts can be used to get this value
my script so far
`$webapp = (get-azwebapp -resourcegroupname $WebAppRGName -name $WebAppName)
$webapp | Get-Member
#.publicNetworkAccess cannot find anyting for this
# we get firewall rules from here
#$ipsecurityrestrictions = (get-azwebapp -resourcegroupname $WebAppRGName -name $WebAppName).siteconfig.ipsecurityrestrictions
#$ipsecurityrestrictions`
@swsr-capco
You can use the Azure RM API directly like this:
# Get all web apps for current subscription using the Azure RM API directly
$WebApps = [array](
(
(
Invoke-AzRestMethod -Method 'Get' -Path (
'/subscriptions/{0}/providers/microsoft.web/sites?api-version=2023-12-01' -f (Get-AzContext).'Subscription'.'Id'
)
).'Content' | ConvertFrom-Json
).'value'
)
# Show the attribute of one of the apps
$WebApps[0].'properties'.'publicNetworkAccess'
# Group by the attribute
$WebApps | Group-Object -Property @{'Expression'={$_.'properties'.'publicNetworkAccess'}} -NoElement
One observation: Seems publicNetworkAccess
isn't neccessarily populated. In my example I had 33 web apps, all have public network access enabled.
Count Name
----- ----
27
6 Enabled
So this might be a API / provider issue? For checking compliance: Unless the value is Disabled
, assume it's enabled?
You can use the Azure RM API directly like this:
That's how I did it too. But I hope official support for this property is added soon.
One observation: Seems
publicNetworkAccess
isn't neccessarily populated. In my example I had 33 web apps, all have public network access enabled. So this might be a API / provider issue? For checking compliance: Unless the value isDisabled
, assume it's enabled?
Yeah, haven't figured out its behaviour. Seeing this on Key Vault and Function Apps too, though Get-AzFunctionApp
and Get-AzKeyVault
do return the public PublicNetworkAccess
property. However, the property is read-only. Cannot set it. Maybe its value is inferred from other networking settings?
Description
Get-AzWebapp not returning values under Site Config when run at Subscription Level.
$azapps[0].SiteConfig
NumberOfWorkers : 1 DefaultDocuments : NetFrameworkVersion : PhpVersion : PythonVersion : NodeVersion : PowerShellVersion : LinuxFxVersion : WindowsFxVersion : RequestTracingEnabled : RequestTracingExpirationTime : RemoteDebuggingEnabled : RemoteDebuggingVersion : HttpLoggingEnabled : AcrUseManagedIdentityCreds : False AcrUserManagedIdentityID : LogsDirectorySizeLimit : DetailedErrorLoggingEnabled : PublishingUsername : AppSettings : ConnectionStrings : MachineKey : HandlerMappings : DocumentRoot : ScmType : Use32BitWorkerProcess : WebSocketsEnabled : AlwaysOn : False JavaVersion : JavaContainer : JavaContainerVersion : AppCommandLine : ManagedPipelineMode : VirtualApplications : LoadBalancing : Experiments : Limits : AutoHealEnabled : AutoHealRules : TracingOptions : VnetName : VnetRouteAllEnabled : VnetPrivatePortsCount : Cors : Push : ApiDefinition : ApiManagementConfig : AutoSwapSlotName : LocalMySqlEnabled : ManagedServiceIdentityId : XManagedServiceIdentityId : KeyVaultReferenceIdentity : IpSecurityRestrictions : ScmIpSecurityRestrictions : ScmIpSecurityRestrictionsUseMain : Http20Enabled : False MinTlsVersion : ScmMinTlsVersion : FtpsState : PreWarmedInstanceCount : FunctionAppScaleLimit : 200 HealthCheckPath : FunctionsRuntimeScaleMonitoringEnabled : WebsiteTimeZone : MinimumElasticInstanceCount : 0 AzureStorageAccounts : PublicNetworkAccess :
But when we add a -ResourceGroup or target a webapp using -Name then the SiteConfig values are populated. NumberOfWorkers : 1 DefaultDocuments : {Default.htm, Default.html, Default.asp, index.htm…} NetFrameworkVersion : v6.0 PhpVersion : PythonVersion : NodeVersion : PowerShellVersion : LinuxFxVersion : WindowsFxVersion : RequestTracingEnabled : False RequestTracingExpirationTime : RemoteDebuggingEnabled : False RemoteDebuggingVersion : HttpLoggingEnabled : False AcrUseManagedIdentityCreds : AcrUserManagedIdentityID : LogsDirectorySizeLimit : 35 DetailedErrorLoggingEnabled : False PublishingUsername : $AzureFunction-Translater AppSettings : {FUNCTIONS_EXTENSION_VERSION, FUNCTIONS_WORKER_RUNTIME, APPLICATIONINSIGHTS_CONNECTION_STRING, AzureWebJobsStorage…} ConnectionStrings : {} MachineKey : HandlerMappings : DocumentRoot : ScmType : None Use32BitWorkerProcess : True WebSocketsEnabled : False AlwaysOn : False JavaVersion : JavaContainer : JavaContainerVersion : AppCommandLine : ManagedPipelineMode : Integrated VirtualApplications : {Microsoft.Azure.Management.WebSites.Models.VirtualApplication} LoadBalancing : LeastRequests Experiments : Microsoft.Azure.Management.WebSites.Models.Experiments Limits : AutoHealEnabled : False AutoHealRules : TracingOptions : VnetName : VnetRouteAllEnabled : False VnetPrivatePortsCount : Cors : Microsoft.Azure.Management.WebSites.Models.CorsSettings Push : ApiDefinition : ApiManagementConfig : AutoSwapSlotName : LocalMySqlEnabled : False ManagedServiceIdentityId : XManagedServiceIdentityId : KeyVaultReferenceIdentity : IpSecurityRestrictions : {Allow all} ScmIpSecurityRestrictions : {Allow all} ScmIpSecurityRestrictionsUseMain : False Http20Enabled : False MinTlsVersion : 1.2 ScmMinTlsVersion : FtpsState : FtpsOnly PreWarmedInstanceCount : FunctionAppScaleLimit : HealthCheckPath : FunctionsRuntimeScaleMonitoringEnabled : WebsiteTimeZone : MinimumElasticInstanceCount : AzureStorageAccounts : PublicNetworkAccess :
Issue script & Debug output
Environment data
Module versions
Error output
No response