Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable HTTP/2 Only for Azure Container Apps

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that HTTP/2 only is enabled for your Microsoft Azure Container Apps in order to benefit from the performance enhancements introduced by the HTTP/2 protocol. Web applications with high traffic, multiple simultaneous requests (e.g., social media, e-commerce, and streaming platforms) benefit from HTTP/2 due to its multiplexing and faster data loading features.

Performance
efficiency

Enabling HTTP/2 only for Azure Container Apps improves performance by reducing latency, enabling multiplexed streams over a single connection, and allowing for faster data transfer. It also provides better resource efficiency, as multiple requests can be handled simultaneously over the same connection, reducing connection overhead.

Azure Container Apps must have HTTP ingress configured to enable HTTP/2.

Audit

To determine if HTTP/2 only is enabled for Azure Container Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App. If the ingress settings are unavailable (i.e., the Enabled checkbox next to Ingress is not selected), ingress access is disabled for the selected Container App, therefore, the Audit process ends here. Otherwise, continue the Audit process with the next step.

07 In the Ingress section, check the Transport configuration setting to determine the transport protocol type used by the selected resource. If Transport is not set to HTTP/2, HTTP/2 only is not enabled for the selected Microsoft Azure Container App.

08 Repeat steps no. 5 - 7 for each Azure Container App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to determine the transport protocol type used by the selected Container App: 

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{transportProtocolType:properties.configuration.ingress.transport}'

07 The command output should return the transport protocol type configured for the selected resource: 

{
	"transportProtocolType": "Http"
}

If the containerapp show command output does not return "Http2" for the "transportProtocolType" attribute value, HTTP/2 only is not enabled for the selected Microsoft Azure Container App.

08 Repeat step no. 6 and 7 for each Azure Container App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that HTTP/2 only is enabled for your Microsoft Azure Container Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to configure.

06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App. Azure Container Apps provides HTTPS and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment. If the ingress settings are unavailable (i.e., the Enabled checkbox next to Ingress is not selected), follow the steps outlined on this page to enable and configure secure HTTPS/TCP ingress.

07 In the Ingress section, ensure that Ingress type is HTTP, and set the Transport setting to HTTP/2 to enable HTTP/2 only for the selected Microsoft Azure Container App. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 - 7 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to describe the network ingress configuration settings available for the selected Container App. Azure Container Apps provides HTTPS and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment: 

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{networkIngressSettings:properties.configuration.ingress}'

07 The containerapp show command output should return the requested ingress settings. If the command output returns null for the "networkIngressSettings" attribute value, as shown in the example below, network ingress is not enabled for your Azure Container App. To enable and configure secure HTTPS/TCP ingress, follow the steps outlined on this page: 

{
	"networkIngressSettings": null
}

08 Run containerapp ingress update command (OSX/Linux/UNIX) to update the network ingress settings for the selected Azure Container App in order to enable support for HTTP/2 only. 

az containerapp ingress update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--transport http2

09 The command output should return the ingress information available for the selected Container App: 

{
	"additionalPortMappings": null,
	"allowInsecure": false,
	"clientCertificateMode": "Ignore",
	"corsPolicy": null,
	"customDomains": null,
	"exposedPort": 0,
	"external": false,
	"fqdn": "tm-project5-container-app.calmground-abcd1234.westeurope.azurecontainerapps.io",
	"ipSecurityRestrictions": null,
	"stickySessions": {
		"affinity": "none"
	},
	"targetPort": 0,
	"traffic": [
		{
			"latestRevision": true,
			"weight": 100
		}
	],
	"transport": "Http2"
}

10 Repeat steps no. 6 - 9 for each Azure Container App that you want to configure, available within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 20, 2024

Related ContainerApps rules