Skip to content

Disable insecure container app ingress#

Security · Container App · Rule · 2023_06

Ensure insecure inbound traffic is not permitted to the container app.

Description#

Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.

Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.

Recommendation#

Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.

Examples#

Configure with Azure template#

To deploy resource that pass this rule:

  • Set properties.configuration.ingress.allowInsecure to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2023-05-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
    "template": {
      "revisionSuffix": "[parameters('revision')]",
      "containers": "[variables('containers')]"
    },
    "configuration": {
      "ingress": {
        "allowInsecure": false,
        "stickySessions": {
          "affinity": "none"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
  ]
}

Configure with Bicep#

To deploy resource that pass this rule:

  • Set properties.configuration.ingress.allowInsecure to false.

For example:

Azure Bicep snippet
resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    environmentId: containerEnv.id
    template: {
      revisionSuffix: revision
      containers: containers
    }
    configuration: {
      ingress: {
        allowInsecure: false
        stickySessions: {
          affinity: 'none'
        }
      }
    }
  }
}
Last update: 2023-10-01

Comments