last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

App Service Environment apps should not be reachable over public internet

Name App Service Environment apps should not be reachable over public internet
Azure Portal
Id 2d048aca-6479-4923-88f5-e2ac295d9af3
Version 1.0.0
details on versioning
Category App Service
Microsoft docs
Description To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-22 14:29:30 add 2d048aca-6479-4923-88f5-e2ac295d9af3
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "App Service Environment apps should not be reachable over public internet",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                  "value": "[requestContext().apiVersion]",
                    "less": "2018-02-01"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "2"
                      },
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "3"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                  "value": "[requestContext().apiVersion]",
                    "greaterOrEquals": "2018-02-01"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "Web"
                      },
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "Publishing"
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d048aca-6479-4923-88f5-e2ac295d9af3"
}