rules/findings/azure/appservices_environment/azure-app-service-environment-lacks-load-balancer.json
|
{
"args": [], "provider": "Azure", "serviceType": "App Service Environments", "serviceName": "Hosted Services", "displayName": "Ensure App Service Environment is deployed with an internal load balancer", "description": "App Service Environment apps should not be reachable over public internet. To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.", "rationale": "Disabling public network access improves security by ensuring that a service is not exposed on the public internet.", "impact": "Disabling public network access restricts access to the service. This enhances security but may require the configuration of private endpoints for any services or users needing access within trusted networks.", "remediation": { "text": "It is not possible to change the virtual IP configuration of a deployed App Service Environment. When deploying an App Service Environment, next to Virtual IP, select Internal: The endpoint is an internal load balancer (ILB ASE).", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/app-service/environment/creation" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "2.0.0", "reference": "2.6", "profile": [ "Level 2" ] } ], "level": "low", "tags": [], "rule": { "path": "az_app_service_environment", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "properties.internalLoadBalancingMode", "eq", "none" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.internalLoadBalancingMode":"Internal Load Balancing Mode" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "properties" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.internalLoadBalancingMode":"Internal Load Balancing Mode" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure App Service Environment is deployed with an internal load balancer for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_app_service_environment_lacks_internal_load_balancer", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_appservice_environment_003" } |