Skip to content

Use HTTPS to monitor web-based endpoints#

Security · Traffic Manager · Rule · 2020_06 · Important

Monitor Traffic Manager web-based endpoints with HTTPS.

Description#

Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.

If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.

If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.

Recommendation#

Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.

Examples#

Configure with Azure template#

To deploy Traffic Manager profiles that pass this rule:

  • Set the properties.monitorConfig.protocol property to HTTPS for HTTP-based endpoints.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/trafficmanagerprofiles",
  "apiVersion": "2022-04-01",
  "name": "[parameters('name')]",
  "location": "global",
  "properties": {
    "endpoints": "[parameters('endpoints')]",
    "trafficRoutingMethod": "Performance",
    "monitorConfig": {
      "protocol": "HTTPS",
      "port": 443,
      "intervalInSeconds": 30,
      "timeoutInSeconds": 5,
      "toleratedNumberOfFailures": 3,
      "path": "/healthz"
    }
  }
}

Configure with Bicep#

To deploy Traffic Manager profiles that pass this rule:

  • Set the properties.monitorConfig.protocol property to HTTPS for HTTP-based endpoints.

For example:

Azure Bicep snippet
resource profile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01' = {
  name: name
  location: 'global'
  properties: {
    endpoints: endpoints
    trafficRoutingMethod: 'Performance'
    monitorConfig: {
      protocol: 'HTTPS'
      port: 443
      intervalInSeconds: 30
      timeoutInSeconds: 5
      toleratedNumberOfFailures: 3
      path: '/healthz'
    }
  }
}

Comments