Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Peer-to-Peer Encryption for Container Apps Environments

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that peer-to-peer TLS encryption is enabled for Azure Container Apps environments in order to secure communication between containers and protecting data from interception and tampering as it travels between microservices.

Security

Enabling peer-to-peer TLS encryption in Azure Container Apps environments ensures that all internal network traffic is encrypted using a private certificate, enhancing security by preventing unauthorized access or data interception. The Peer-to-Peer Encryption feature automatically manages the certificates, simplifying security maintenance and ensuring compliance with data protection requirements within the Container App environment.

Audit

To determine if peer-to-peer encryption is enabled for your Azure Container Apps environments, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container Apps Environment, and choose Apply to list only the Azure Container Apps environments available in the selected subscription.

05 Click on the name (link) of the Azure Container Apps environment that you want to examine.

06 In the resource navigation panel, under Ingress, select Encryption to access the peer-to-peer encryption settings available for the selected environment.

07 On the Encryption page, inspect the Enabled setting checkbox available next to Peer-to-Peer encryption to determine if the encryption feature is enabled for your resource. If the Enabled checkbox is unchecked, peer-to-peer TLS encryption is not enabled for the selected Azure Container Apps environment.

08 Repeat steps no. 5 - 7 for each Azure Container Apps environment available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp env list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Azure Container Apps environment available in the selected subscription: 

az containerapp env list
	--query '[*].id'

05 The command output should return the requested Container Apps environment IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-project5-app-abcd",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-container-app-bcda"
]

06 Run containerapp env show command (Windows/macOS/Linux) with the ID of the Azure Container App environment that you want to examine as the identifier parameter, to describe the Peer-to-Peer Encryption feature status for the selected Container App environment: 

az containerapp env show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-cloudshellstora-90f1"
	--query 'properties.peerTrafficConfiguration.encryption.enabled'

07 The command output should return the requested feature status (true for enabled, false for disabled): 

false

If the containerapp env show command output returns false, as shown in the output example above, peer-to-peer TLS encryption is not enabled for the selected Azure Container Apps environment.

08 Repeat steps no. 6 and 7 for each Azure Container Apps environment available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Peer-to-Peer Encryption feature for your Microsoft Azure Container Apps environments, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container Apps Environment, and choose Apply to list only the Azure Container Apps environments available in the selected subscription.

05 Click on the name (link) of the Azure Container Apps environment that you want to configure.

06 In the resource navigation panel, under Ingress, select Encryption to access the peer-to-peer encryption settings available for the selected environment.

07 On the Encryption page, check the Enabled setting checkbox available next to Peer-to-Peer encryption to enable peer-to-peer TLS encryption for the selected Azure Container Apps environment. Choose Apply to apply the configuration changes.

08 Repeat steps no. 5 - 7 for each Azure Container Apps environment available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp env list command (Windows/macOS/Linux) to list the identifier (ID) of each Azure Container Apps environment available in the selected subscription: 

az containerapp env list
	--query '[*].id'

05 The command output should return the requested Container Apps environment IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-project5-app-abcd",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-container-app-bcda"
]

06 Run containerapp env update command (Windows/macOS/Linux) with the ID of the Azure Container App environment that you want to configure as the identifier parameter, to enable the Peer-to-Peer Encryption feature for the selected Container App environment: 

az containerapp env update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-project5-app-abcd"
	--enable-peer-to-peer-encryption true

07 The command output should return the configuration information available for the modified Container App environment: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/managedEnvironment-project5-app-abcd",
	"location": "West Europe",
	"name": "managedEnvironment-project5-app-abcd",
	"properties": {
		"appLogsConfiguration": {
			"destination": "log-analytics",
			"logAnalyticsConfiguration": {
			"sharedKey": null
			}
		},
		"customDomainConfiguration": {
			"certificatePassword": null,
			"certificateValue": null,
			"dnsSuffix": null,
			"expirationDate": null,
			"subjectName": null,
			"thumbprint": null
		},
		"daprAIConnectionString": null,
		"daprAIInstrumentationKey": null,
		"daprConfiguration": {
			"version": "1.12.5"
		},
		"defaultDomain": "domain-abcd1234.westeurope.azurecontainerapps.io",
		"infrastructureResourceGroup": null,
		"kedaConfiguration": {
			"version": "2.15.1"
		},
		"peerAuthentication": {
			"mtls": {
			"enabled": true
			}
		},
		"peerTrafficConfiguration": {
			"encryption": {
			"enabled": true
			}
		},
		"provisioningState": "Succeeded",
		"vnetConfiguration": null,
		"workloadProfiles": [
			{
			"name": "Consumption",
			"workloadProfileType": "Consumption"
			}
		],
		"zoneRedundant": false
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.App/managedEnvironments"
}

08 Repeat steps no. 6 and 7 for each Azure Container Apps environment provisioned in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Nov 20, 2024

Related ContainerApps rules