Enable Always On

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: AppService-015

Ensure that your Microsoft Azure App Services web applications have Always On feature enabled in order to prevent applications from being idled out due to inactivity. Always On keeps your websites/web applications loaded even when there's no traffic.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Reliability
Performance
efficiency

By default, websites and web applications are unloaded if they have been idle for too long and this behavior is often undesired. The Always On feature keeps your Azure web applications up and running, which translates to higher availability and faster response times across the board. The feature it's required for continuous Azure WebJobs or WebJobs triggered by CRON expressions. WebJobs is a feature of Azure App Services that allows you to run a program or script in the same context as a web application, API app, or mobile app.


Audit

To determine if your Azure App Services web applications are configured to use Always On, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services web application that you want to examine.

04 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected application.

05 On the General settings panel, under Platform settings, check the Always on configuration setting. If the setting is turned Off, the Always On feature is currently disabled for the selected Microsoft Azure App Services web application.

06 Repeat steps no. 3 – 5 for each Azure App Services application available in the selected account subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Services web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested web application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-prod-core-app",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-web-app"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the Always On feature state, configured for the selected application:

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-prod-core-app"
	--query 'alwaysOn'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

false

If the webapp config show command output returns false, as shown in the example above, the Always On performance feature is disabled for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application deployed within the current account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Always On for your existing Microsoft Azure App Services web applications, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right application).

04 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected application.

05 On the General settings panel, under Platform settings, select On next to Always on configuration setting to enable the Always On feature for the selected Azure App Services web application. Click Save to apply the changes.

06 Repeat steps no. 3 – 5 for each Azure App Services application that you want to reconfigure in order to enable Always On, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Services web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right app) to enable Always On performance feature for the selected application, in order to prevent it from going into idle mode:

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-prod-core-app"
	--always-on true

02 The command output should return the metadata for reconfigured Microsoft Azure App Services application:

{
  "alwaysOn": true,
  "autoHealEnabled": false,
  "defaultDocuments": [
    "Default.htm",
    "Default.html",
    "Default.asp",
    "index.htm",
    "index.html",
    "iisstart.htm",
    "default.aspx",
    "index.php",
    "hostingstart.html"
  ],
  "ftpsState": "AllAllowed",
  "http20Enabled": true,
  "httpLoggingEnabled": true,

  ...

  "name": "cc-prod-core-app",
  "netFrameworkVersion": "v4.0",
  "nodeVersion": "",
  "numberOfWorkers": 2,
  "phpVersion": "5.6",
  "preWarmedInstanceCount": 0,
  "publishingUsername": "$cc-prod-core-app",
  "push": null,
  "pythonVersion": "",
  "remoteDebuggingEnabled": false,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

03 Repeat step no. 1 and 2 for each Azure App Services application that you want to reconfigure in order to enable Always On, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Always On

Risk level: Medium