2

We have a web app that is deployed as an App Service in Azure. We would like to restrict access to it by having a white list of IP addresses that can be done in some Azure App Service setting and not in web.config that we have inside the project.

Currently, this is how we do IP address restriction in our environments.

  • Production: We have VNet Integration setup for the App Service. We attached an NSG to the VNet's Subnet and from the NSG we can control inbound and outbound access.

  • Staging: We have the following block of configuration in our web.config that contains the whitelisted IP addresses that are allowed to access the App Service in our staging server.

    <security>
    <ipSecurity allowUnlisted="false" denyAction="NotFound">
        <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
        <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
    </ipSecurity>
</security>

  • Development(local): We have to uncomment the <security> configuration block in our local development machines coz we don't really need it. And it causes an error, please see screenshot below.

enter image description here

This is some the contents of the HttpFailre_09-07-33.html

Module         IpRestrictionModule
Notification   BeginRequest
Handler        aspNetCore
Error Code     0x80070021
Config Error   This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

We would like to completely remove this <security> block from web.config because for another reason, we don't want the IP addresses to reach production.

And also, we are not allowed to do VNet Integration in our Staging server (management stuff, duh! cost-cutting whatever!).

So is there a way to restrict IP addresses in Azure App Service?

jmc
  • 1,649
  • 6
  • 26
  • 47

2 Answers2

7

So is there a way to restrict IP addresses in Azure App Service?

1.We could use web.config to restrict IP address as you mentioned

2.We could connect to a WebApp from IIS manager and we can config restrict IP easily. More detail info please refer blog.

3.We could use REST API to do that, and we could easily do it with Azure Resource Exploer(https://resources.azure.com/). We also could do that with PowerShell cmdlets detail info please refer to another SO Thread. The following is the simple steps about how to use azure resource explorer to do that.

a. Open azure resource explorer and select the corresponding web site config web option to click the Edit button.

enter image description here

b. Change ipSecurityRestrictions to an array value.

enter image description here enter image description here

c. Click the Put button to send request.

enter image description here

Config Error This configuration section cannot be used at this path

If we do not unlock the handlers, we need to unlock the handlers, more info please refer to another SO Thread. Following is the snipped from the SO thread.

1) In the connections tree(in IIS), go to your server node and then to your website.

2) For the website, in the right window you will see configuration editor under Management.

3) Double click on the configuration editor.

4) In the window that opens, on top you will find a drop down for sections. Choose "system.webServer/handlers" from the drop down.

5) On the right side, there is another drop down. >Choose "ApplicationHost.Config "

6) On the right most pane, you will find "Unlock Section" under "Section" heading. Click on that.

7) Once the handlers at the applicationHost is unlocked, your website should run fine.

Community
  • 1
  • 1
Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
  • Thanks for this! I decided to use #2 where I add the `ipRestriction` values in the `Azure Resource Explorer` directly. I have one question though, does it retain the `ipRestriction` values even if I deploy a new `web.config`? I just did a deploy and it did not change, I just want to confirm :) If it does change for every deploy, I may have to use PowerShell scripts to set `ipRestrictions` – jmc Feb 01 '17 at 09:54
  • From my experience, it is recommended to use PowerShell script to do that. – Tom Sun - MSFT Feb 01 '17 at 10:05
  • Ok, one last question please. Where do you recommend that I put the PowerShell script? I'm thinking of two places - 1.) Inside `project.json` I'll add a `postpublish` action to execute the script OR 2.) Inside the `PublishProfiles` I can add a `.ps1` file or just put the scripts directly inside the generated `publish-module.psm1` – jmc Feb 01 '17 at 11:13
  • Both of two ways sounds good. In my option you coud choose it as you like. – Tom Sun - MSFT Feb 01 '17 at 13:51
  • Defiantly #2, don't do server configuration for different environment in your application code. – CularBytes Jun 16 '17 at 20:44
  • 1
    IP Restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions) are now supported in App Services. You don't even need an App Service Environment (and pay Premium) for this! – Jose Parra Dec 09 '17 at 00:11
0

VNet/subnet type Access Restrictions can be configured on Azure App Service using powershell Az module command - Add-AzWebAppAccessRestrictionRule

https://learn.microsoft.com/en-us/powershell/module/az.websites/add-azwebappaccessrestrictionrule?view=azps-3.2.0

Vigneshwaran
  • 1