Harden App Service

Nerdio Manager consists of a number of PaaS services. The entry point into the Nerdio Manager application is the App Service.  By default, the Nerdio Manager app service is protected with Entra ID authentication, including MFA and conditional access, and is accessible from any internet location. It is possible to further protect the Nerdio Manager app service by using Access Restrictions or enabling a Private Endpoint.

Note: Azure app services also have FTP services enabled by default. These can be fully disabled for Nerdio Manager.

Requirements

To use VNet integration, in some instances, the App service plan must be Standard, Premium, PremiumV2, or PremiumV3. Please note that some Basic plans support Vnet integration. See this Microsoft article for details. In addition, see Upgrade the Azure App Service for upgrade options.

Configure Access restrictions on the Nerdio Manager App Service

  1. In the Azure portal, locate the Nerdio Manager App Service resource. 

    Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.

  2. Within the menu on the left-hand side of the App Service blade, scroll down to the Settings section.

  3. Select Networking.

    Note: By default, the configuration is to allow all access.

  4. In the Inbound Traffic section, select Access restriction.

  5. Select + Add.

  6. Type the Name and Description of the new rule.

  7. Ensure that Action is set to Allow.

  8. Specify the source IP address block to allow access.

    Note: This automatically adds a new "Deny All" rule to the list to prevent access from all other locations.

  9. Select Add rule.

  10. Once all rules have been applied, navigate to the nmw-app-*.scm.azurewebsites.net tab.

  11. Select the Same restrictions as option to restrict access to the administrative console as well.

After a few minutes, only whitelisted IP ranges are able to connect to the Nerdio Manager application.

Create a Private Endpoint on the Nerdio Manager App Service

  1. In the Azure portal, locate the Nerdio Manager App Service resource. 

    Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.

  2. Within the menu on the left-hand side of the App Service blade, scroll down to the Settings section.

  3. Select Networking.

  4. In the Inbound Traffic section, select Add.

  5. Type a custom Name for the private endpoint.

  6. Choose the Subscription containing your VNet.

  7. Select the VNet and Subnet where the private endpoint should be attached.

  8. Optionally, depending on your VNet DNS configuration, you may be able to select the option for Integrate with private DNS zone.

    Notes:

    • Most customers specify custom DNS servers targeting their internal AD environment, in which case this option may be disabled.

    • If Integrate with private DNS zone is not enabled, be sure that the DNS is properly configured to resolve your private endpoint. See Azure Private Endpoint DNS Configuration for details.

  9. Select OK to save the private endpoint.

After a few minutes, any connections to Nerdio Manager's app service routing to the public IP addresses is rejected. Only connections that resolve your Nerdio Manager URL to the private endpoint IP address succeed.

Disable FTP Services on the Nerdio Manager App Service

  1. In the Azure portal, locate the Nerdio Manager App Service resource. 

    Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.

  2. Within the menu on the left-hand side of the App Service blade, scroll down to the Settings section.

  3. Select Configuration.

  4. Navigate to the General settings tab.

  5. On the FTP state selector, change the option from All allowed (default) to Disabled.

  6. Select Save.

FTP services are now disabled for Nerdio Manager's app service.

Related Topics

Harden Nerdio Manager

Harden Azure Storage Account

Harden SQL