0

I have two app services running in Azure, one is a web portal (CRM-type management system that's protected by JWT login) and the other is an API to control access to the database containing the data for the web portal (so, users log into portal, portal queries the API in order to interact with the database).

I want this system to be as secure as possible, due to personal details being held on the database. I'm using the Azure Advisor and Security Center to help with this.

One security issue flagged on my public-facing web portal at the moment is that I need to restrict access to web services in order to comply with various security protocols but most notably ISO27001. I want to comply with this, but how am I supposed to restrict access to a public site? There are restrictions in place already in that users must log into it, I can't restrict by IP address as I obviously don't know which IP address will be sending the login credentials.

Am I missing something?

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
ataraxia
  • 995
  • 13
  • 31
  • Is that you care about your web app's security? If so, you can refer to https://learn.microsoft.com/en-us/azure/app-service/overview-security. – Jim Xu Aug 20 '19 at 02:56
  • Please refer to https://azure.microsoft.com/en-us/blog/13-effective-security-controls-for-iso-27001-compliance/ –  Aug 20 '19 at 03:01
  • 1
    To clarify, I understand *what* needs to be done, and I understand what the ISO27001 requirements are, my point is that the only way I can restrict access to my app service is by setting a firewall to restrict by IP. The question is, how the hell is that supposed to work on a website that potentially needs to be accessed by anyone? Especially when Azure only lets you add one CIDR at a time, which is very impractical. I've since done some research, and it can be done with Cloudflare Argo tunneling, but it's very involved and I don't have time to write the answer at the moment. Will add later. – ataraxia Aug 21 '19 at 19:18
  • @ataraxia If your issue has been resolved, please add the answer to the answer part. Then this issue can be closed. Thank you. – Jim Xu Aug 22 '19 at 02:35

1 Answers1

0

You can consider ILBASE for this. By putting web app in ILBASE , Users which are only in that VNET will able to access. User outside ILBASE will not be able to access it.

https://learn.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase

DixitArora-MSFT
  • 1,768
  • 1
  • 5
  • 8
  • As part of investigating Cloudflare's Argo tunneling, I attempted to add the app service to a VNet but it won't work properly as it's running on a Linux system and VNets are still in testing for Linux services :(. At the moment I am ISO27001 compliant as the only failing test is restricting access, and access is currently restricted by Cloudflare, it's just that Azure doesn't know this so is reporting it as non-compliant. Still haven't got chance to explain what I've done yet, will put up a more comprehensive explanation when I do. – ataraxia Aug 22 '19 at 10:29