Grace-MacJones-MSFT
commented
2 years ago Hi @gollima,Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.
Closed gollima closed 2 years ago
Grace-MacJones-MSFT
commented
2 years ago Hi @gollima,Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.
madsd
commented
2 years ago Hi @gollima Are there specific rules that you are concerned about? Many of the inbound rules are for application traffic and depend on what features in App Service you use - e.g. FTP and Remote Debugging can removed if you do not use these services. With App Service Environment v3 we no longer have these dependencies, and only require a single inbound rule to allow health probe traffic from the load balancer.
gollima
commented
2 years ago Thanks for the clarification. I'm testing here some more restricted rules. For inbound my understanding is that the "must have" to work is 80, 443 from anywhere and 454-455 from AppServiceManagement. FTP (21), FTPS(990), Debugging (4016-4022) is optional as you said. FTP is used for deployment only?
For outbound, the must have is 80,443,12000 TCP to anyware, 53,123 UDP to anyware. I tried using SQL (1433) to service tag SQL instead of Anyware. It seems to work fine. There are some connections using TCP 11000-11999 that seems to be also for SQL Server. I'm getting statistics to check if the service tag SQL will help with this range too.
Em qui., 13 de jan. de 2022 às 02:53, Mads Damgård @.***> escreveu:
Hi @gollima https://github.com/gollima Are there specific rules that you are concerned about? Many of the inbound rules are for application traffic and depend on what features in App Service you use - e.g. FTP and Remote Debugging can removed if you do not use these services. With App Service Environment v3 we no longer have these dependencies, and only require a single inbound rule to allow health probe traffic from the load balancer.
— Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/86311#issuecomment-1011819248, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIBKN753JBTLO7WDIEFCPDLUVZSGNANCNFSM5LZ4RUWQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
-- Guilherme Lima @.***
madsd
commented
2 years ago For ASEv2 we are not able to make these more specific as the endpoints are not tagged (management endpoints). As mentioned you have full freedom with ASEv3 to apply tight NSGs and only allow what you app really needs (typically port 443 inbound).
Can you please revist the rules and check if there are new service tags (eg AzureCloud) that improves the rules restriction for inbound e outbound? Any-Any rules is very disturbing and a lot of CSPM tools keeps pointing that the rules may be to open.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.