I'm deploying a new Azure App Service Plan that will be isolated and not connected to any virtual networks. Is there a benefit to putting this App Service behind a firewall? I believe that since the App Service only exposes ports 80 and 443, it already has a level of protection, but I want to hear what others think.
4 Answers
I like to use web app IP filtering to restrict access to specific subnets or public IPs. It's a simple way to enhance security without complicating things with authentication.
You definitely should check out the Azure security baseline for App Services. It outlines important security measures to consider even when not using vNets. Having that additional layer can help with more advanced protections like SQL injection defense and logging capabilities.
You don't technically need a firewall, but it might be worth considering. Is it just about cost that's holding you back? A VNet combined with an application gateway and WAF provides a cleaner and more secure setup, which also prepares you for future scaling if you add more services down the line.
While it's true that the App Service mainly exposes 80 and 443, it doesn’t provide advanced protections that you’d get with a Web Application Firewall (WAF). For instance, a WAF can help with path-based routing, block IPs from certain locations, and provide selective access controls. If your app is pretty static and doesn’t handle sensitive data, you might be okay without it, but from a security best practices standpoint, it’s better to have some form of protection in place.
Yeah, I get that it's not handling anything critical—it's just a static page—so I'm not overly concerned, but just checking what others recommend.
I tried implementing something similar with a public VM, and ran into issues, so I think having a WAF might help avoid those headaches.