Skip to content

Governance Policies Azure Web App Service

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

App Service

Governance policies for App Service

Domain: azure-web

Patterns

Name Description
App Service with managed identity and VNet Complete App Service deployment with HTTPS, TLS 1.2, managed identity, VNet integration, private endpoint, and diagnostics

Anti-Patterns

Description Instead
Do not set httpsOnly = false or omit HTTPS enforcement Always set httpsOnly = true on App Service
Do not store secrets in App Settings as plaintext Use Key Vault references (@Microsoft.KeyVault(SecretUri=...))
Do not enable FTP/FTPS access Set ftpsState to Disabled

References

Checks (10)

Check Severity Description
AZ-AS-001 Required Create App Service Plan with appropriate SKU
AZ-AS-002 Required Create App Service with HTTPS-only, TLS 1.2, managed identity, VNet integration, and public access disabled
AZ-AS-003 Required Deploy into a VNet-integrated subnet for backend connectivity
AZ-AS-004 Recommended Use deployment slots for zero-downtime deployments in production
AZ-AS-005 Recommended Use App Service Authentication (EasyAuth) or custom middleware for user-facing apps
AZ-AS-006 Recommended Enable health check feature on the App Service
AZ-AS-007 Recommended Disable ARR affinity for stateless applications
AZ-AS-008 Recommended Enable zone redundancy on the App Service Plan for production workloads
AZ-AS-009 Recommended Disable remote debugging and basic authentication
AZ-AS-010 Recommended Enable auto-heal rules for automatic recovery from unexpected issues

AZ-AS-001

Create App Service Plan with appropriate SKU

Severity: Required
Rationale: Plan defines compute tier; B1+ required for VNet integration, P1v3+ for production
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Web/sites

AZ-AS-002

Create App Service with HTTPS-only, TLS 1.2, managed identity, VNet integration, and public access disabled

Severity: Required
Rationale: Baseline security configuration prevents cleartext transmission, enables identity-based access, and restricts network exposure
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Web/sites

Companion Resources

Resource Name Purpose
Microsoft.Network/privateEndpoints pe-app-service Private endpoint for App Service — required when publicNetworkAccess is Disabled
Microsoft.Network/privateDnsZones privatelink.azurewebsites.net Private DNS zone for App Service private endpoint resolution
Microsoft.Insights/diagnosticSettings diag-app-service Diagnostic settings for App Service to Log Analytics

AZ-AS-003

Deploy into a VNet-integrated subnet for backend connectivity

Severity: Required
Rationale: Enables private access to databases, Key Vault, and other PaaS services
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

  • Microsoft.Web/sites

AZ-AS-004

Use deployment slots for zero-downtime deployments in production

Severity: Recommended
Rationale: Slot swaps are atomic and support rollback
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

  • Microsoft.Web/sites

AZ-AS-005

Use App Service Authentication (EasyAuth) or custom middleware for user-facing apps

Severity: Recommended
Rationale: Built-in auth handles token validation without custom code
Agents: cloud-architect, app-developer, csharp-developer, python-developer

Targets

  • Microsoft.Web/sites

AZ-AS-006

Enable health check feature on the App Service

Severity: Recommended
Rationale: WAF Reliability: Health checks detect problems early and automatically exclude unhealthy instances from serving requests, improving overall availability
Agents: cloud-architect, terraform-agent, bicep-agent, monitoring-agent

Targets

  • Microsoft.Web/sites

AZ-AS-007

Disable ARR affinity for stateless applications

Severity: Recommended
Rationale: WAF Reliability: Disabling ARR affinity distributes incoming requests evenly across all available nodes, preventing traffic from overwhelming a single node and enabling horizontal scaling
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

  • Microsoft.Web/sites

AZ-AS-008

Enable zone redundancy on the App Service Plan for production workloads

Severity: Recommended
Rationale: WAF Reliability: Zone redundancy distributes instances across availability zones, maintaining application reliability if one zone is unavailable
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

  • Microsoft.Web/sites

AZ-AS-009

Disable remote debugging and basic authentication

Severity: Recommended
Rationale: WAF Security: Remote debugging opens inbound ports and basic authentication uses username/password; disabling both reduces the attack surface
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer

Targets

  • Microsoft.Web/sites

AZ-AS-010

Enable auto-heal rules for automatic recovery from unexpected issues

Severity: Recommended
Rationale: WAF Reliability: Auto-heal triggers healing actions when configurable thresholds are breached (request count, slow requests, memory limits), enabling automatic proactive maintenance
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

  • Microsoft.Web/sites

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally