iCompaas Support

Description:

Evaluating and restricting HTTP(S) access from the internet ensures that only authorized traffic is allowed to reach your web-facing resources such as Azure Web Apps, Virtual Machines, and Azure Load Balancers. This configuration helps mitigate unauthorized access, reduce the attack surface, and enforce security best practices. By using tools like Azure Firewall, Network Security Groups (NSGs), and Azure Application Gateway, you can automate the evaluation and restriction of incoming HTTP(S) traffic from the internet.

Rationale:

Restricting HTTP(S) access from the internet to only trusted sources or specific IP ranges improves the security of your resources by reducing the exposure to unwanted or malicious traffic. This is critical for protecting sensitive applications, databases, and services that could otherwise be vulnerable to attacks such as SQL injection, cross-site scripting (XSS), and DDoS attacks.

Impact:

By restricting HTTP(S) access from the internet, you reduce the risk of exposing vulnerable resources, but it may introduce challenges for legitimate users, especially those working remotely or outside a trusted network. Therefore, proper configuration and testing are essential to avoid accidental disruptions of valid service access.

Default Value:

By default, HTTP(S) access is allowed to Azure resources (such as Azure Web Apps, Virtual Machines, and Load Balancers) from anywhere on the internet, unless explicitly restricted using Network Security Groups (NSGs), Azure Firewall, or other network filtering tools.

Pre-requisites:

• Azure subscription.
  

• Network Security Groups (NSGs) and Azure Firewall configured.
  

• The user must have Owner, Contributor, or Network Contributor permissions.
  

Audit:

1. Sign in to the Azure portal as an Owner, Contributor, or Network Contributor.
   

2. Navigate to Network Security Groups (NSGs), Azure Firewall, or Azure Application Gateway.
   

3. Verify that HTTP(S) access is properly evaluated and restricted according to security policies.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to Network Security Groups (NSGs):
   

   • Go to Network Security Groups in the Azure portal.
     

   • Ensure NSGs are configured to block HTTP (port 80) and HTTPS (port 443) access from the internet unless explicitly allowed.
     

3. Restrict HTTP(S) Access Using NSGs:
   

   • In the NSG, configure Inbound security rules to allow HTTP(S) traffic only from trusted sources (e.g., specific IP ranges, subnets, or virtual networks).
     

   • Block access from any source unless explicitly required. For example:
     

     • Allow inbound HTTPS (port 443) only from known or trusted IP addresses or subnets.
       

     • Block HTTP (port 80) unless absolutely necessary.
       

   • Example NSG rule to restrict HTTP(S) traffic:
     

     • Rule 1: Allow HTTPS (port 443) from trusted IP ranges or subnets.
       

     • Rule 2: Deny all HTTP(S) (ports 80, 443) from internet unless specifically required.
       

Example of an NSG configuration using Azure CLI to block HTTP(S) access from the internet:

 az network nsg rule create \

  --resource-group <Resource-Group-Name> \

  --nsg-name <NSG-Name> \

  --name "Allow-HTTPS" \

  --protocol Tcp \

  --direction Inbound \

  --priority 100 \

  --source-address-prefix <Trusted-IP-Ranges> \

  --source-port-range '*' \

  --destination-port-range 443 \

  --access Allow

az network nsg rule create \

  --resource-group <Resource-Group-Name> \

  --nsg-name <NSG-Name> \

  --name "Deny-HTTP" \

  --protocol Tcp \

  --direction Inbound \

  --priority 200 \

  --source-address-prefix '*' \

  --source-port-range '*' \

  --destination-port-range 80 \

  --access Deny

4. Use Azure Firewall to Restrict HTTP(S) Access:
   

   • Azure Firewall can also be used to block or allow HTTP(S) traffic based on IP addresses or ranges, providing an additional layer of security.
     

   • Ensure that Application Rules in Azure Firewall are configured to only allow HTTP(S) traffic from trusted locations (e.g., specific countries, IP address ranges, or virtual networks).
     

Example command to create an Azure Firewall rule that restricts HTTP(S) access:

 az network firewall policy rule-rule-add \

  --policy-name <Firewall-Policy-Name> \

  --rule-type ApplicationRule \

  --rule-name "Allow-HTTPS-from-Trusted-IP" \

  --action Allow \

  --rule-type Match \

  --destination-address <Destination-IP-Address> \

  --destination-port 443 \

  --source-address <Trusted-IP-Ranges> \

  --protocols HTTPS

6. Configure Web Application Firewall (WAF): If using Azure Application Gateway with WAF capabilities:
   

   • Enable WAF to block malicious web traffic and only allow legitimate HTTP(S) traffic.
     

   • Configure WAF to automatically block or alert on suspicious activities, such as SQL injection or XSS attempts.
     

Automate HTTP(S) Evaluation with Azure Policy: Use Azure Policy to ensure that any new resources that require HTTP(S) access are evaluated and automatically comply with security standards (e.g., blocking public HTTP access or restricting HTTP(S) traffic to specific IPs).

Example Azure Policy definition to restrict public HTTP(S) access:

 {

  "properties": {

    "displayName": "Restrict Public HTTP(S) Access",

    "policyType": "Custom",

    "mode": "All",

    "parameters": {},

    "policyRule": {

      "if": {

        "field": "type",

        "equals": "Microsoft.Network/networkInterfaces"

      },

      "then": {

        "effect": "deny"

      }

    }

  }

}

7. Monitor and Test the Configuration:
   

   • Test the configuration by trying to access your resources via HTTP (port 80) and HTTPS (port 443) from various locations (trusted and untrusted).
     

   • Use Azure Monitor and Network Watcher to check for any unauthorized access attempts and ensure that the restrictions are being enforced as expected.
     

8. Review and Fine-Tune Security Policies:
   

   • Continuously monitor the performance and access logs to ensure that the HTTP(S) access restrictions are effective.
     

   • Adjust NSG rules, Azure Firewall, or WAF configurations as needed based on traffic patterns or new security insights.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to NSGs or Azure Firewall:
   

   • Go to Network Security Groups or Azure Firewall.
     

3. Remove or Revert HTTP(S) Restrictions:
   

   • In NSGs, remove or modify the inbound rules that restrict HTTP(S) access from the internet.
     

   • In Azure Firewall, remove or revert the Application Rules that restrict HTTP(S) traffic.
     

4. Revert Azure Policy Settings:
   

   • If Azure Policy was used, revert or disable the policy that restricts HTTP(S) access.
     

5. Test and Verify:
   

   • After reverting the settings, test to ensure that HTTP(S) traffic is no longer restricted and that the access controls are functioning as expected.
     

References:

• Network Security Group Overview
  

• Azure Firewall Overview
  

• Azure Application Gateway with WAF