Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Support for HTTP/2

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-006

Ensure that your Azure API Management API gateways are configured to use HTTP/2 in order to increase the API performance on the client-side. HTTP/2 represents a major revision of the HTTP protocol, that has the primary goal of reducing the impact of latency and connection load on servers by implementing full request and response multiplexing, minimizing protocol overhead via compression of HTTP header fields, and by adding support for HTTP request prioritization and server push.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Performance
efficiency

Enabling HTTP/2 for your Azure API Management API gateways can significantly enhance the performance, efficiency, and scalability of your API infrastructure, resulting in a more responsive and efficient API ecosystem.


Audit

To determine if the HTTP/2 support is enabled for your Azure API Management API gateways, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Select the Protocols tab and check the Status value for HTTP/2 under Client protocol. If the Status is set to Disabled, the support for the HTTP/2 protocol is not enabled for the API gateway associated with the selected Azure API Management service.

08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the protocol and cipher configuration for the API gateway associated with the selected service:

az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --output yaml
  --query 'customProperties'

04 The command output should return the requested configuration details:

Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'

Check the configuration information returned by the apim show command output to determine the HTTP/2 protocol status. If Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 is set to 'false', as shown in the example above, the support for the HTTP/2 protocol is not enabled for the API gateway associated with the selected Azure API Management service instance.

05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the HTTP/2 support for your Azure API Management API gateways, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Choose the Protocols tab, select HTTP/2 under Client protocol, and choose Enable to enable support for HTTP/2. Select Save to apply the changes. Configuration changes can take from 15 to 45 minutes to apply.

08 Repeat steps no. 5 – 7 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to enable HTTP/2 support for the API gateway associated with the selected instance. The changes can take from 15 to 45 minutes to apply:

az apim update
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --set customProperties='{"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "true"}'

02 The command output should return the information available for the configured Azure API Management service:

{
	"additionalLocations": null,
	"apiVersionConstraint": {
		"minApiVersion": null
	},
	"certificates": null,
	"customProperties": {
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "True",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "True",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "True",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13": "False"
	},
	"developerPortalUrl": "https://cc-main-api-service-instance.developer.azure-api.net",
	"disableGateway": false,
	"enableClientCertificate": null,
	"gatewayUrl": "https://cc-main-api-service-instance.azure-api.net",
	"location": "West Europe",
	"managementApiUrl": "https://cc-main-api-service-instance.management.azure-api.net",
	"name": "cc-main-api-service-instance",
	"natGatewayState": "Unsupported",
	"platformVersion": "stv2",
	"portalUrl": "https://cc-main-api-service-instance.portal.azure-api.net",
	"privateEndpointConnections": null,
	"privateIpAddresses": null,
	"provisioningState": "Succeeded",
	"publicIpAddressId": null,
	"publicNetworkAccess": "Enabled",
	"publisherName": "TrendMicro",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restore": null,
	"scmUrl": "https://cc-main-api-service-instance.scm.azure-api.net",
	"sku": {
		"capacity": 1,
		"name": "Developer"
	},
	"tags": {},
	"targetProvisioningState": "",
	"type": "Microsoft.ApiManagement/service",
	"virtualNetworkConfiguration": null,
	"virtualNetworkType": "None",
	"zones": null
}

03 Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023