Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use TLS/SSL Certificates for Azure Container App Custom Domains

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that all custom domains assigned to your Microsoft Azure Container Apps are secured with TLS/SSL certificates in order to enable encrypted communication between clients and Container Apps, and enhance data privacy and user trust.

Security

Azure Container Apps service allows you to bind one or more custom domains, and using TLS/SSL certificates for these domains is essential to secure data in transit. TLS/SSL encrypts communication between clients and Container Apps, protecting sensitive information like user credentials and personal data from interception by attackers. Additionally, TLS/SSL verifies the authenticity and integrity of your application, increasing user trust by confirming that the data originates from a legitimate source. Secure connections also support regulatory compliance and strengthen overall security.

Audit

To determine if your Azure Container App custom domains are using TLS/SSL certificates, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, select Custom domains to access the page with the custom domains assigned to the selected Container App. If no custom domains are listed on this page, there are none assigned to your Container App, therefore, the Audit process ends here. Otherwise, continue the Audit process with the next step.

07 Choose the custom domain that you want to examine and check the TLS/SSL binding status available in the Status column. If the binding status is No binding, there is no TLS/SSL binding configured for the domain. Therefore, the verified Azure Container App custom domain is not using a TLS/SSL certificate to enforce encrypted communication.

08 Repeat step no. 7 for each custom domain assigned to the selected Container App.

09 Repeat steps no. 5 - 8 for each Azure Container App deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to describe each custom domain assigned to the selected Container App: 

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{customDomains:properties.configuration.ingress.customDomains}'

07 The command output should return the name of each custom domain assigned to your app and the TLS/SSL binding status. If the command output returns **"customDomains": null**, there are no custom domains assigned to your Container App, therefore, the Audit process ends here. Otherwise, continue the Audit process with the next step: 

{
	"customDomains": [
		{
			"name": "domain.com",
			"bindingType": "Disabled"
		}
	]
}

Check the "bindingType" attribute value for each custom domain returned by the containerapp show command output to determine the domain's binding status. If the "bindingType" value is "Disabled", there is no TLS/SSL binding configured for the domain. Therefore, the verified Azure Container App custom domain is not using a TLS/SSL certificate to enforce encrypted communication.

08 Repeat step no. 6 and 7 for each Azure Container App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that all custom domains assigned to your Microsoft Azure Container Apps are secured with TLS/SSL certificates, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to configure.

06 In the resource navigation panel, under Settings, select Custom domains to access the list with the custom domains assigned to the selected Container App.

07 Choose the non-compliant custom domain that you want to configure, click on Add binding in the Solution column, and perform the following actions to add a TLS/SSL certificate binding to the selected domain:

  1. For TLS/SSL certificate, select the type of the certificate that you want to use for your custom domain. You can use a free managed certificate or bring your own certificate. Select Managed certificate if you want to create and bind a managed TLS/SSL certificate to your custom domain at no cost. This certificate is automatically renewed as long as your Container App continues to meet the requirements for managed certificates. Or choose Bring your own certificate if you want to upload your own TLS/SSL certificate and bind it with the selected domain. This option allows you to upload your certificate in .pfx format or import it from your Azure Key Vault.
  2. To validate your domain ownership, using the DNS provider that is hosting your domain, create DNS records based on the Hostname record type you selected, using the values shown in the Domain validation section. Choose Validate to initiate the validation process.
  3. Once the validation succeeds, choose Add to complete the TLS/SSL binding.

08 Repeat step no. 7 for each custom domain that you want to configure, assigned to the selected Container App.

09 Repeat steps no. 5 - 8 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription: 

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 To bind a managed TLS/SSL certificate to your custom domain, perform the following actions:

  1. Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to configure as the identifier parameter, to describe the ID of the associated Container App environment and the domain verification ID. You can use the domain verification ID to configure your DNS settings with TXT records in order to verify your domain ownership: 
    az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{environmentId:properties.environmentId,customDomainVerificationId:properties.customDomainVerificationId}'
  2. The command output should return the requested IDs: 
    {
	"environmentId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env",
	"customDomainVerificationId": "ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234"
}
  3. Run containerapp hostname bind command (OSX/Linux/UNIX) to create and bind a managed TLS/SSL certificate to the Azure Container App custom domain specified by the --hostname parameter. If you're configuring an A record, set --validation-method to HTTP. If you're configuring a CNAME, set --validation-method to CNAME: 
    az containerapp hostname bind
	--hostname domain.com
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--environment "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env"
	--validation-method HTTP
  4. The command output should return the new TLS/SSL binding information: 
    [
	{
		"bindingType": "SniEnabled",
		"certificateId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env/managedCertificates/domain-com-abc-1234",
		"name": "domain.com"
	}
]

07 To bind your own TLS/SSL certificate to your custom domain, perform the following operations:

  1. Run containerapp env certificate list command (OSX/Linux/UNIX) with custom query filters to list the identifier (ID) of each TLS/SSL certificate managed by your Azure Container App environment: 
    az containerapp env certificate list
	--name tm-project5-container-app-env
	--resource-group cloud-shell-storage-westeurope
	--query '[*].id'
  2. The command output should return the requested certificate IDs: 
    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env/certificates/domain-com"
]
  3. Run containerapp hostname bind command (OSX/Linux/UNIX) to bind your own TLS/SSL certificate to the Azure Container App custom domain specified by the --hostname parameter. Use the --certificate command parameter to specify the ID of your own TLS/SSL certificate. To get the full ID of your TLS/SSL certificate managed with Microsoft Azure Container App, run the az containerapp env certificate list command (OSX/Linux/UNIX): 
    az containerapp hostname bind
	--hostname domain.com
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--certificate "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env/certificates/domain-com"
  4. The command output should return the new TLS/SSL binding information: 
    [
	{
		"bindingType": "SniEnabled",
		"certificateId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/managedEnvironments/tm-project5-container-app-env/certificates/domain-com",
		"name": "domain.com"
	}
]

08 Repeat steps no. 6 and 7 for each Azure Container App that you want to configure, available within the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 21, 2024

Related ContainerApps rules