Update ASE Cluster Settings without Azure Resource Explorer
Often customers using App Service Environment want to apply additional security features such as disabling TLS 1.0/1.1 or remove certain ciphers. In Azure Public you can use https://resources.azure.com to perform these actions. If you are working in any non-Azure Commercial clouds the existence of Azure Resource Explorer is not available. Here’s another programmatic method to update the settings without having to mess with ARM templates.
***Note if you are running this in PowerShell you may need to modify the syntax slightly to account for PowerShell translating values such as strings.
1. Run the following command to pull the ASE properties and outputs it to a file. This utilizes AZ CLI rest command -
az rest --method get --url https://management.usgovcloudapi.net/subscriptions/subID/resourceGroups/RGName/providers/Microsoft.Web/hostingEnvironments/ASEName?api-version=2018-02-01 > ase.json
2. Update the json file with the following cluster setting.
"clusterSettings": [
{
"name": "DisableTls1.0",
"value": "1"
},
{
"name": "FrontEndSSLCipherSuiteOrder",
"value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
}
],
3. Run the following command to update the ASE - This will trigger an update that will take some time.
az rest --method put --url https://management.usgovcloudapi.net/subscriptions/subID/resourceGroups/RGName/providers/Microsoft.Web/hostingEnvironments/ASEName?api-version=2018-02-01 --body @ase.json --headers Content-Type=application/json