none
Open ports for Web Apps RRS feed

  • Question

  • Hi there.  An Azure Web App of ours recently undergone penetration testing and a number of ports were found to be open that we didn't expect.  These included:

    443, 454, 455, 1221, 4016, 4018 and 4020

    Does anyone know:

    (1) why these are open and what they are used for?

    (2) whether we can close them - I think the answer to this question is "no" but I thought I'd ask just in case.

    Any help or guidance to useful information much appreciated.

    Mark

    Monday, July 27, 2015 2:27 PM

Answers

  • Hello Mark,

    You cannot close these ports as Azure Web Apps are multi tenant environment by design.

    Description of these ports is available e.g. on https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/ (in case App Service Environment you can actually block some of them at the VNET level):

    • 454: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.
    • 455: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.
    • 80: Default port for inbound HTTP traffic to apps running in App Service Plans in an App Service Environment
    • 443: Default port for inbound SSL traffic to apps running in App Service Plans in an App Service Environment
    • 21: Control channel for FTP. This port can be safely blocked if FTP is not being used.
    • 10001-10020: Data channels for FTP. As with the control channel, these ports can be safely blocked if FTP is not being used (Note: the FTP data channels may change during preview.)
    • 4016: Used for remote debugging with Visual Studio 2012. This port can be safely blocked if the feature is not being used.
    • 4018: Used for remote debugging with Visual Studio 2013. This port can be safely blocked if the feature is not being used.
    • 4020: Used for remote debugging with Visual Studio 2015. This port can be safely blocked if the feature is not being used.
    • 4022: Used for remote debugging with Visual Studio 2017. This port can be safely blocked if the feature is not being used.
    • 8172 (including this one to document all possible ports which can be seen with App Service): Port used for WebDeploy service (protocol used by Visual Studio for publishing sites)
    • 7654 (including this one to document all possible ports which can be seen with App Service): Metadata endpoint used by the internal service (does not take any input, only returns an IP address).

    Hope this helps.

    Thanks,
    Petr





    Monday, July 27, 2015 3:48 PM
    Moderator

All replies

  • Hello Mark,

    You cannot close these ports as Azure Web Apps are multi tenant environment by design.

    Description of these ports is available e.g. on https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/ (in case App Service Environment you can actually block some of them at the VNET level):

    • 454: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.
    • 455: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.
    • 80: Default port for inbound HTTP traffic to apps running in App Service Plans in an App Service Environment
    • 443: Default port for inbound SSL traffic to apps running in App Service Plans in an App Service Environment
    • 21: Control channel for FTP. This port can be safely blocked if FTP is not being used.
    • 10001-10020: Data channels for FTP. As with the control channel, these ports can be safely blocked if FTP is not being used (Note: the FTP data channels may change during preview.)
    • 4016: Used for remote debugging with Visual Studio 2012. This port can be safely blocked if the feature is not being used.
    • 4018: Used for remote debugging with Visual Studio 2013. This port can be safely blocked if the feature is not being used.
    • 4020: Used for remote debugging with Visual Studio 2015. This port can be safely blocked if the feature is not being used.
    • 4022: Used for remote debugging with Visual Studio 2017. This port can be safely blocked if the feature is not being used.
    • 8172 (including this one to document all possible ports which can be seen with App Service): Port used for WebDeploy service (protocol used by Visual Studio for publishing sites)
    • 7654 (including this one to document all possible ports which can be seen with App Service): Metadata endpoint used by the internal service (does not take any input, only returns an IP address).

    Hope this helps.

    Thanks,
    Petr





    Monday, July 27, 2015 3:48 PM
    Moderator
  • Hi,

    Is there any other way to block those ports in a WebApp not using App Service Environment?

    Thanks!

    Monday, November 6, 2017 5:44 PM
  • As mentioned by Petr, In the App Service shared tenant environment, it is not possible to block specific ports because of the nature of the infrastructure. TCP ports 4016, 4018, and 4020 also might be open for Visual Studio remote debugging.

    In App Service Environment, you have full control over inbound and outbound traffic. You can use Network Security Groups to restrict or block specific ports.

     

    The only way an application can be accessed via the internet is through the already-exposed HTTP (80) and HTTPS (443) TCP ports; applications may not listen on other ports for packets arriving from the internet.

    However, applications may create a socket which can listen for connections from within the sandbox. For example, two processes within the same app may communicate with one another via TCP sockets; connection attempts incoming from outside the sandbox, albeit they be on the same machine, will fail. See the next topic for additional detail.

     

    Restricted Outgoing Ports: Regardless of address, applications cannot connect to anywhere using ports 445, 137, 138, and 139. In other words, even if connecting to a non-private IP address or the address of a virtual network, connections to ports 445, 137, 138, and 139 are not permitted.

     

    For more information, see Microsoft Azure App Service web app compliance with PCI Standard 3.0 and 3.1.

    --------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Saturday, November 18, 2017 5:43 PM
    Moderator