🛡️ Azure Application Gateway HTTP2 protocol is not enabled🟢

Contextual name: 🛡️ Application Gateway HTTP2 protocol is not enabled🟢
ID: /ce/ca/azure/application-gateway/gateway-http2-protocol
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: PERFORMANCE

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Application Gateway
- 🔌 Azure Application Gateway - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Azure Application Gateways that do not utilize HTTP/2. Consider enabling HTTP/2 for improved performance, efficiency, and security. HTTP/2 protocol support is available to clients that connect to application gateway listeners only. Communication with backend server pools is always HTTP/1.1.

Rationale

Enabling HTTP/2 supports use of modern encrypted connections.

Impact

Clients and backend services that do not support HTTP/2 will fall back to HTTP/1.1.

Audit

This policy flags an Azure Application Gateway as INCOMPLIANT if its HTTP/2 traffic is not Enabled.

Default Value

HTTP/2 is enabled by default.

References

https://learn.microsoft.com/en-us/azure/application-gateway/features#websocket-and-http2-traffic

https://learn.microsoft.com/en-us/cli/azure/network/application-gateway

https://learn.microsoft.com/en-us/powershell/module/az.network/get-azapplicationgateway

https://learn.microsoft.com/en-us/powershell/module/az.network/set-azapplicationgateway

Remediation

Open File

Remediation

From Azure Portal

Go to Application gateways.

Select the name of an application gateway.

Under Settings, click Configuration.

Under HTTP/2, click Enabled.

Click Save.

Repeat steps 1-5 for each application gateway requiring remediation.

From Azure CLI

For each application gateway requiring remediation, run the following command to enable HTTP/2:
az network application-gateway update \
    --resource-group {{resource-group-name}} \
    --name {{application-gateway-name}} \
    --http2 Enabled
From PowerShell

Run the following command to get the application gateway in a resource group with a given name:
$gateway = Get-AzApplicationGateway `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{application-gateway-name}}
Run the following command to enable HTTP/2:
$gateway.EnableHttp2 = $true
Run the following command to apply the update:
Set-AzApplicationGateway -ApplicationGateway $gateway
Repeat for each application gateway requiring remediation.

policy.yaml

Open File

Linked Framework Sections

Section	Policies	Compliance
💼 CIS Azure v5.0.0 → 💼 7.13 Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway (Automated)	1	no data
💼 CIS Azure v6.0.0 → 💼 7.13 Ensure 'HTTP2' is Set to 'Enabled' on Azure Application Gateway (Automated)	1	no data
💼 Cloudaware Framework → 💼 Performance Tuning	6	no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

References​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Default Value

References

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections