Disable insecure container app ingress

Security · Container App · Rule · 2023_06 · Important

Ensure insecure inbound traffic is not permitted to the container app.

Description

Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.

Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.

Recommendation

Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.

Examples

Configure with Azure template

To deploy resource that pass this rule:

• Set properties.configuration.ingress.allowInsecure to false.

For example:

Azure Template snippet

{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2024-03-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
    "template": {
      "revisionSuffix": "[parameters('revision')]",
      "containers": "[variables('containers')]",
      "scale": {
        "minReplicas": 2
      }
    },
    "configuration": {
      "ingress": {
        "allowInsecure": false,
        "external": false,
        "ipSecurityRestrictions": "[variables('ipSecurityRestrictions')]",
        "stickySessions": {
          "affinity": "none"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
  ]
}

Configure with Bicep

To deploy resource that pass this rule:

• Set properties.configuration.ingress.allowInsecure to false.

For example:

Azure Bicep snippet

resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    environmentId: containerEnv.id
    template: {
      revisionSuffix: revision
      containers: containers
      scale: {
        minReplicas: 2
      }
    }
    configuration: {
      ingress: {
        allowInsecure: false
        external: false
        ipSecurityRestrictions: ipSecurityRestrictions
        stickySessions: {
          affinity: 'none'
        }
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/app/container-app:<version>

For example:

br/public:avm/res/app/container-app:0.11.0

To use the latest version:

br/public:avm/res/app/container-app:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Container Apps should only be accessible over HTTPS /providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb

Links

• SE:07 Encryption
• Ingress in Azure Container Apps
• Container Apps ARM template API specification
• Azure deployment reference

Comments