
Azure requires internet accessible ports to monitor your back end instances - chris408
https://chris408.com/post/microsoft-azure-application-gateway-exposes-your-backend-health-api-server/?HN
======
FuckOffNeemo
Can anyone else comment here if HTTP (not HTTPS) can use PKI for
authentication?

I'm not aware of anyway of this being possible?

The sensitivity of the data or threat risk of the host from these open ports
is up for debate and probably should be reverse engineered in any which case.

Could these services be secured by another method that we've missed?

It's undoubtedly bad practice. But surely M$ haven't just left two non-
standard HTTP ports open to the internet from all hosted Azure instances?

~~~
chris408
I agree, it seems strange that these ports are open, which is why I wrote this
up. I spoke with Microsoft on the phone and they confirmed that the ports must
be open for their SLA checks and monitoring to work properly.

To reconfirm this, I ran a quick test and saw these ports open by default
after I configured an application gateway on my account.

~~~
FuckOffNeemo
Yeah... It's all quite odd.

~~~
chris408
Apparently they don’t have a mechanism to permit their own addresses because
the probes come from dynamic addresses. It sounded like they were adding this
as a predefined label in the future.

