Harden App Service
Nerdio Manager consists of a number of PaaS services. The entry point into the Nerdio Manager application is the App Service. By default, the Nerdio Manager App Service is protected with Entra ID authentication, including MFA and conditional access, and is accessible from any internet location. It is possible to further protect the Nerdio Manager App Service by using access restrictions or enabling a private endpoint.
Note: Azure App Services also have FTP services enabled by default. These can be fully disabled for Nerdio Manager.
Requirements
To use VNet integration, in some instances, the App Service plan must be Standard, Premium, PremiumV2, or PremiumV3. Please note that some Basic plans support VNet integration. For details, see:
Configure access restrictions on the Nerdio Manager App Service
Configure access restrictions on the Nerdio Manager App Service so that only authorized networks can connect.
To configure access restrictions:
-
In the Azure portal, go to App Services and select the Nerdio Manager App Service resource.
Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.
-
In the left menu, navigate to the Settings > Networking.
Note: By default, the configuration is to allow all access.
In the Inbound Traffic section, select Access restriction.
Select +Add.
Type the Name and Description of the new rule.
Ensure that Action is set to Allow.
-
Specify the source IP address block to allow access.
Note: This automatically adds a new Deny All rule to the list to prevent access from all other locations.
Select Add rule.
Once all rules have been applied, navigate to App Services > [your Nerdio Manager App Service name] > Settings > Networking > Public Network Access Restrictions.
Under Site access and rules, on the Advanced tool site tab, select the Use main site rules option.
After a few minutes, only allowed IP ranges are able to connect to the Nerdio Manager application.
Create a private endpoint on the Nerdio Manager App Service
Creating a private endpoint on the Nerdio Manager App Service ensures that traffic flows through your VNet and private IP space rather than over the public internet.
To create a private endpoint on the Nerdio Manager App Service:
-
In the Azure portal, select the Nerdio Manager App Service resource.
Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.
In the left menu, navigate to Settings > Networking.
In the Inbound Traffic section, select Add.
Type a custom Name for the private endpoint.
Choose the Subscription containing your VNet.
Select the VNet and Subnet where the private endpoint should be attached.
-
Optionally, depending on your VNet DNS configuration, you may be able to select the option for Integrate with private DNS zone.
Notes:
Most customers specify custom DNS servers targeting their internal AD environment, in which case this option may be disabled.
If Integrate with private DNS zone is not enabled, make sure that the DNS is properly configured to resolve your private endpoint. See Azure Private Endpoint DNS Configuration for details.
Select OK to save the private endpoint.
After a few minutes, any connections to Nerdio Manager's App Service routing to the public IP addresses is rejected. Only connections that resolve your Nerdio Manager URL to the private endpoint IP address succeed.
Disable FTP services on the Nerdio Manager App Service
You can disable FTP services on the Nerdio Manager App Service to prevent unneeded access and align with security best practices.
-
In the Azure portal, select the Nerdio Manager App Service resource.
Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.
In the left menu, navigate to Settings > Configuration.
Navigate to the General settings tab.
On the FTP state selector, change the option from All allowed (default) to Disabled.
Select Save.
FTP services are now disabled for Nerdio Manager's App Service.
Enable VNet integration
Enable App Service VNet integration to connect the App Service to a VNet for outbound traffic. This provides line-of-sight to other hardened Nerdio Manager resources (e.g., storage, key vault, SQL) that are accessible only via private endpoints, allowing the App Service to securely reach them without public egress.
Before you start, ensure the following prerequisites are met:
The App Service plan must be on a tier that supports VNet integration. For more details, see Upgrade the Azure App Service.
A virtual network (VNet) that can be used to connect the App Service to your Azure network must be configured. This virtual network also needs outbound access for Nerdio Manager to communicate with the Nerdio licensing servers via HTTPS (TCP/443). The licensing server URL is https://nwp-web-app.azurewebsites.net/.
To enable VNet integration for the Nerdio Manager's App Service:
In the Azure portal, navigate to App Services.
-
Select the Nerdio Manager App Service.
Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.
In the left menu, navigate to Settings > Networking.
Under Outbound traffic configuration, in Virtual network integration, select Not configured.
In Virtual Network Integration, select Add virtual network integration.
-
In the right pane that opens, add the virtual network you want to use:
Subscription: Select the subscription.
Virtual Network: Select the virtual network.
Subnet: Select the subnet.
Note:
VNet integration requires a subnet delegated specifically for use with App Services. This subnet cannot be shared with any other Azure resources.
The subnet selected for integration needs to be /28 or larger.
If no unused subnets are available, or if all existing subnets are already delegated to other services, you may need to create an additional subnet for the integration.
-
Select Connect.
The VNet is integrated.
Allow access for addresses provided in VNet integration firewall requirements to ensure Nerdio Manager functions as required.
Comments (0 comments)