Skip to content

Expose frontend HTTP endpoints over HTTPS#

Security · Application Gateway · Rule · 2021_09 · Critical

Application Gateways should only expose frontend HTTP endpoints over HTTPS.

Description#

Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic. When using frontend HTTP (80) endpoints, traffic between client and Application Gateway is not encrypted.

Unencrypted communication could allow disclosure of information to an un-trusted party.

Recommendation#

Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.

Configure with Azure template#

To deploy Application Gateways that pass this rule:

  • Set the properties.frontendPorts.properties.port property to 443.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2023-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2"
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    },
    "frontendPorts": [
      {
        "name": "https",
        "properties": {
          "Port": 443
        }
      }
    ]
  }
}

Configure with Bicep#

To deploy Application Gateways that pass this rule:

  • Set the properties.frontendPorts.properties.port property to 443.

For example:

Azure Bicep snippet
resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
    frontendPorts: [
      {
        name: 'https'
        properties: {
          Port: 443
        }
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/application-gateway:<version>

To use the latest version:

br/public:avm/res/network/application-gateway:0.7.2

Comments