Azure App Service Network Security Groups

The following is a list of ports used by an App Service Environment:

Inbound security rules

454: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.

455: Required port used by Azure infrastructure for managing and maintaining App Service Environments. Do not block traffic to this port.

80: Default port for inbound HTTP traffic to apps running in App Service Plans in an App Service Environment

443: Default port for inbound SSL traffic to apps running in App Service Plans in an App Service Environment

21: Control channel for FTP. This port can be safely blocked if FTP is not being used.

10001-10020: Data channels for FTP. As with the control channel, these ports can be safely blocked if FTP is not being used

4016: Used for remote debugging with Visual Studio 2012. This port can be safely blocked if the feature is not being used.

4018: Used for remote debugging with Visual Studio 2013. This port can be safely blocked if the feature is not being used.

4020: Used for remote debugging with Visual Studio 2015. This port can be safely blocked if the feature is not being used.

Outbound security rules

Outbound network connectivity to Azure Storage endpoints worldwide. This includes endpoints located in the same region as the App Service Environment, as well as storage endpoints located in other Azure regions. Azure Storage endpoints resolve under the following DNS domains: table.core.windows.net, blob.core.windows.net, queue.core.windows.net and file.core.windows.net.

Outbound network connectivity to Sql DB endpoints located in the same region as the App Service Environment. SQl DB endpoints resolve under the following domain: database.windows.net.

Outbound network connectivity to the Azure management plane endpoints (both ASM and ARM endpoints). This includes outbound connectivity to both management.core.windows.net and management.azure.com.

Outbound network connectivity to ocsp.msocsp.com. This is needed to support SSL functionality.

The DNS configuration for the virtual network must be capable of resolving all of the endpoints and domains mentioned in the earlier points. If these endpoints cannot be resolved, App Service Environment creation attempts will fail, and existing App Service Environments will be marked as unhealthy.

If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet containing the App Service Environment.

The outbound network path cannot travel through internal corporate proxies, nor can it be force tunneled to on-premises. Doing so changes the effective NAT address of outbound network traffic from the App Service Environment. Changing the NAT address of an App Service Environment's outbound network traffic will cause connectivity failures to many of the endpoints listed above. This results in failed App Service Environment creation attempts, as well as previously healthy App Service Environments being marked as unhealthy.

Inbound network access to required ports for App Service Environments must be allowed as described in this article.