Security, Governance and Compliance

Design Considerations

Consider what level of logging is necessary to meet your organization’s compliance requirements.
Review your security requirements to determine if they allow your web applications to be run on shared network infrastructure or if they require the complete network/virtual machine isolation available with App Service Environments.
Review which Web Application Firewall rulesets and/or custom rules are necessary to meet your security and compliance requirements.
Evaluate the security of your software supply chain and determine the tools and processes in place to automatically patch application dependency vulnerabilities and reliably deploy them into your environment.

Use Private Endpoint to privately access Azure services through your vNet
Use Azure Policy to assess and enforce Regulatory Compliance controls
Apps should only be accessible over HTTPS.
Use the latest TLS version when encrypting information in transit.
Review the list of SSL cyphers.
Store application secrets (database credentials, API tokens, private keys) in Azure Key Vault and configure your App Service app to access them securely with a Managed Identity. Determine when to use Azure Key Vault vs Azure App Configuration with the guidance in mind.
Enable Cross-Origin Resource Sharing (CORS) within App Services or using your own CORS utilities to indicate which origins the user’s browser should permit resources to be loaded from.
When deploying containerized web applications to App Services, enable Azure Defender for container registries to automatically scan images for vulnerabilities.
Enable Azure Defender for App Service to assess the security of your web applications and detect threats to your App Service resources.
Use Private Endpoint for Azure Cache for Redis Enterprise