Use HTTPS to monitor web-based endpoints#
Security · Traffic Manager · Rule · 2020_06 · Important
Monitor Traffic Manager web-based endpoints with HTTPS.
Description#
Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.
If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.
If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.
Recommendation#
Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.
Examples#
Configure with Azure template#
To deploy Traffic Manager profiles that pass this rule:
- Set the
properties.monitorConfig.protocolproperty toHTTPSfor HTTP-based endpoints.
For example:
{
"type": "Microsoft.Network/trafficmanagerprofiles",
"apiVersion": "2022-04-01",
"name": "[parameters('name')]",
"location": "global",
"properties": {
"endpoints": "[parameters('endpoints')]",
"trafficRoutingMethod": "Performance",
"monitorConfig": {
"protocol": "HTTPS",
"port": 443,
"intervalInSeconds": 30,
"timeoutInSeconds": 5,
"toleratedNumberOfFailures": 3,
"path": "/healthz"
}
}
}
Configure with Bicep#
To deploy Traffic Manager profiles that pass this rule:
- Set the
properties.monitorConfig.protocolproperty toHTTPSfor HTTP-based endpoints.
For example:
resource profile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01' = {
name: name
location: 'global'
properties: {
endpoints: endpoints
trafficRoutingMethod: 'Performance'
monitorConfig: {
protocol: 'HTTPS'
port: 443
intervalInSeconds: 30
timeoutInSeconds: 5
toleratedNumberOfFailures: 3
path: '/healthz'
}
}
}