module/ConfigurationProvider/ControlConfigurations/Services/AppGateway.json
|
{
"FeatureName": "AppGateway", "Reference": "aka.ms/azsktcp/appGateway", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ApplicationGateway_NetSec_Enable_WAF_Configuration", "Description": "Protect Internet First Applications with Azure AppGateway and WAF", "Id": "AppGateway110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckWAFConfigured", "DisplayName": "Protect Internet First Applications with Azure AppGateway and WAF", "Rationale": "Web application firewall configuration protects App Gateway from internet based vulnerabilities and attacks without modification to back-end code.", "Recommendation": "To configure WAF, Go to Azure Portal --> App Gateway --> Change the tier to WAF or WAF V2. Also, Attach every subnet with NSG/Azure Firewall being used in App Gateway.", "Tags": [ "Baseline", "NetSec", "ApplicationGateway", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "TBv7", "SN:ApplicationGateway_WAF" ] }, { "ControlID": "Azure_ApplicationGateway_NetSec_Enable_DDoS_Protection", "Description": "Protect Internet First Applications with Azure AppGateway and DDoS Protection", "Id": "AppGateway120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDDoSProtectionConfigured", "DisplayName": "Protect Internet First Applications with Azure AppGateway and DDoS Protection", "Rationale": "Enabling DDOS on Vnet of Application Gateway, provides protection and defense for Azure resources against the impacts of DDoS attacks", "Recommendation": "To Remediate, Enable the DDOS on the associated Virtual Network being used in App Gateway or refer link https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection#enable-ddos-protection-for-an-existing-virtual-network", "Tags": [ "Baseline", "NetSec", "ApplicationGateway", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "MSD", "TBv7", "EDPreview", "SMTPreview", "SN:ApplicationGateway_DDOS" ] }, { "ControlID": "Azure_ApplicationGateway_NetSec_Enable_WAF_Configuration_MCSB", "Description": "[MCSB] Web Application Firewall (WAF) should be enabled for Application Gateway", "Id": "AppGateway130", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "DisplayName": "[MCSB] Web Application Firewall (WAF) should be enabled for Application Gateway", "Rationale": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", "Recommendation": "Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.", "Tags": [ "Baseline", "NetSec", "ApplicationGateway" ], "AssessmentProperties": { "AssessmentNames": [ "efe75f01-6fff-5d9d-08e6-092b98d3fb3f" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ApplicationGateway_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for AppGateways.", "Id": "AppGateway140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEndToEndEncryption", "DisplayName": "Use approved version of TLS for AppGateways.", "Rationale": "Enabling HTTPS for Application Gateway ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions. ", "Recommendation": "To enable HTTPs protocol for Listeners and Backend settings and configure SSL Policy to use TLSv1_2 as Min protocol version for Listner refer link https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal and https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-listener-specific-ssl-policy", "Tags": [ "Baseline", "DP", "ApplicationGateway" ], "Enabled": true, "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:ApplicationGateway_TLS", "CAIWave1" ] } ] } |