Skip to main content
Back to the Azure Footguns Database
SecurityHighOccasionalAZF-0032

App Service public network access flipped back on exposes the app to the whole internet

An App Service locked to a private endpoint gets publicNetworkAccess set back to Enabled and the site is answering the public internet again.

Footgun ID
AZF-0032 (Azure Footgun No. 32)
Azure service
Azure App Service
Resource type
Microsoft.Web/sites
Updated
July 1, 2026

What it is

An Azure App Service (Web App or Function App) whose Public network access setting is flipped from Disabled back to Enabled. Whatever private endpoint or access-restriction posture you put in place, the app's default hostname now answers requests from any network on the internet.

Impact (security)
App front end reachable from any network, bypassing your private endpoint
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Public network access on App Service is a single property, properties.publicNetworkAccess. Teams lock an app down by setting it to Disabled and routing traffic through a private endpoint, then someone re-enables it during troubleshooting ("the app is unreachable from my laptop") and never sets it back.

Azure treats Enabled as a perfectly valid state, so nothing errors and nothing warns. The app keeps serving traffic, so from the outside everything looks healthy while the private-only guarantee is silently gone.

What it costs / blast radius

This is a security regression, not a line item. With public access back on, the app's *.azurewebsites.net endpoint is reachable from the open internet, so any authentication weakness, unpatched dependency, or exposed admin path is now attacker-reachable rather than confined to your VNet. The private endpoint you paid for and designed around is bypassed. (Azure behavior; the blast radius depends on what the app fronts.)

See it

Footgun: public network access re-enabled on a private-only app
resource site 'Microsoft.Web/sites@2023-12-01' = {
  name: 'corp-api'
  location: location
  properties: {
    publicNetworkAccess: 'Enabled'   // undoes the private-endpoint lockdown
    // ...private endpoint still exists, but the app also answers the internet
  }
}
Fix: keep public access Disabled so only the private endpoint reaches the app
resource site 'Microsoft.Web/sites@2023-12-01' = {
  name: 'corp-api'
  location: location
  properties: {
    publicNetworkAccess: 'Disabled'  // inbound traffic only via the private endpoint
  }
}

How StratoLens helps

StratoLens watches App Service configuration across every subscription and flags the moment publicNetworkAccess weakens from Disabled to Enabled, with the before/after values and when it changed. You find out an app went public because it was re-exposed, not because someone eventually noticed the private endpoint no longer mattered.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.