Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Azure Container Apps that Allow Insecure Traffic

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Container Apps are not configured to allow insecure HTTP traffic (port 80) to prevent data interception and unauthorized access. Enforcing HTTPS for endpoint access helps protect sensitive data and maintain secure communications.

Security

Allowing Microsoft Azure Container Apps to accept insecure network traffic (HTTP port 80) can expose sensitive data to interception and compromise, as HTTP does not encrypt data in transit. This creates vulnerabilities for Man-in-The-Middle (MITM) attacks, where attackers can intercept or alter data. Routing ingress traffic through HTTPS (port 443) instead of HTTP (port 80) enables encryption, ensuring data integrity and privacy. Enforcing HTTPS also helps maintain compliance with industry security standards and protects users' sensitive information.

Audit

To determine if your Azure Container Apps are configured to allow insecure connections, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App. If the ingress settings are unavailable (i.e., the Enabled checkbox next to Ingress is not selected), ingress traffic is disabled for the selected Container App, therefore, the Audit process ends here. Otherwise, continue the Audit process with the next step.

07 In the Ingress section, check the Insecure connections configuration setting to determine if your Container App allows HTTP traffic on port 80. If the Allowed setting checkbox next to Insecure connections is checked, the selected Microsoft Azure Container App is configured to allow insecure connections.

08 Repeat steps no. 5 - 7 for each Azure Container App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to determine if the selected Container App allows HTTP traffic on port 80: 

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{allowInsecure:properties.configuration.ingress.allowInsecure}'

07 The command output should return the **allowInsecure** configuration property value: 

{
	"allowInsecure": true
}

If the containerapp show command output returns true for the "allowInsecure" property value, as shown in the output example above, the selected Microsoft Azure Container App is configured to allow insecure connections.

08 Repeat step no. 6 and 7 for each Azure Container App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Container Apps are not configured to allow insecure HTTP traffic (port 80), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to configure.

06 In the resource navigation panel, under Settings, select Ingress to access the network ingress settings available for the selected Container App. Azure Container Apps provides HTTP(S) and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment. If the ingress settings are unavailable (i.e., the Enabled checkbox next to Ingress is not selected), follow the steps outlined on this page to enable and configure secure ingress traffic.

07 In the Ingress section, ensure that Ingress type is HTTP, and uncheck the Allowed setting checkbox next to Insecure connections to disable insecure connections to the selected Microsoft Azure Container App. This ensures that HTTP requests on port 80 are automatically redirected to HTTPS on port 443. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 - 7 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to describe the network ingress configuration settings available for the selected Container App. Azure Container Apps provides HTTP(S) and TCP ingress to securely expose containerized applications to the Internet, your virtual network (VNET), and other Container Apps within your environment: 

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{networkIngressSettings:properties.configuration.ingress}'

07 The containerapp show command output should return the requested ingress settings. If the command output returns null for the "networkIngressSettings" attribute value, as shown in the example below, network ingress is not enabled for your Azure Container App. To enable and configure secure ingress traffic, follow the steps outlined on this page: 

{
	"networkIngressSettings": null
}

08 Run containerapp ingress update command (OSX/Linux/UNIX) to update the network ingress settings for the selected Microsoft Azure Container App in order to disable insecure connections to the Container App by setting the --allow-insecure parameter to false: 

az containerapp ingress update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--allow-insecure false

09 The command output should return the new ingress information available for the selected Container App: 

{
	"additionalPortMappings": null,
	"allowInsecure": false,
	"clientCertificateMode": "Ignore",
	"corsPolicy": null,
	"customDomains": null,
	"exposedPort": 0,
	"external": true,
	"fqdn": "tm-project5-container-app.calmground-abcd1234.westeurope.azurecontainerapps.io",
	"ipSecurityRestrictions": null,
	"stickySessions": {
		"affinity": "none"
	},
	"targetPort": 0,
	"traffic": [
		{
			"latestRevision": true,
			"weight": 100
		}
	],
	"transport": "Http2"
}

10 Repeat steps no. 6 - 9 for each Azure Container App that you want to configure, available within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 21, 2024

Related ContainerApps rules