Disable insecure container app ingress
March 21, 2025 ยท View on GitHub
SYNOPSIS
Ensure insecure inbound traffic is not permitted to the container app.
DESCRIPTION
Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.
Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.
RECOMMENDATION
Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.
EXAMPLES
Configure with Azure template
To deploy resource that pass this rule:
- Set
properties.configuration.ingress.allowInsecuretofalse.
For example:
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2024-03-01",
"name": "[parameters('appName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
"template": {
"revisionSuffix": "[parameters('revision')]",
"containers": "[variables('containers')]",
"scale": {
"minReplicas": 2
}
},
"configuration": {
"ingress": {
"allowInsecure": false,
"external": false,
"ipSecurityRestrictions": "[variables('ipSecurityRestrictions')]",
"stickySessions": {
"affinity": "none"
}
}
}
},
"dependsOn": [
"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
]
}
Configure with Bicep
To deploy resource that pass this rule:
- Set
properties.configuration.ingress.allowInsecuretofalse.
For example:
resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
name: appName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
environmentId: containerEnv.id
template: {
revisionSuffix: revision
containers: containers
scale: {
minReplicas: 2
}
}
configuration: {
ingress: {
allowInsecure: false
external: false
ipSecurityRestrictions: ipSecurityRestrictions
stickySessions: {
affinity: 'none'
}
}
}
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Container Apps should only be accessible over HTTPS
/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb