Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal

This article is divided into below three parts.

  1. Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – We will learn how to restrict the access to the Azure App Service manually using the Azure Portal.
  2. Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – We learn how to leverage PowerShell scripting to dynamically do bulk insertion of IP Addresses for configuring access restrictions for the Azure App Service.
  3. Azure DevOps – Automate Bulk IP Address Restriction of Azure App Service dynamically using PowerShell & Azure DevOps Pipeline We will learn how to automate the process of Access Restriction every time there is a change in the list of IP addresses using Azure DevOps Pipelines.
Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Three methods
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Three methods

Prerequisites:

  1. Azure Subscription
  2. Azure App Service
Advertisements

Introduction

Azure App Service is a PaaS offering from Microsoft Azure where we can host web applications. Once the web applications are deployed anyone can access the app over internet.

Below are some scenario where you might want to restrict the access of the App Service.

  1. Your application is an internal application hosted in Azure App Service and you would like to restrict the access only with your Organization IP Address or Network.
  2. You application is not yet live and you want to allow access ONLY your internal team within a range of IP Addresses till your app goes live.
  3. You are using Deployment Slots and you don’t want to allow outside people to access the staging slots.
  4. You are getting automated scraping requests from a set of IP Addresses and you would like to block them.
  5. You would like to block internet access but you would like to Allow only azure services like Azure Application Gateway or Azure Front Service
  6. Your app is an API which is NOT meant to be access by public users by only consumed by trusted parties.
Advertisements

In this article, we will learn how to restrict or allow access to the Azure App Service using the Azure Management Portal.

Azure Management Portal

Let’s start by navigating to the App Service (or a Staging Slot) and click on Configure Access Restrictions link which is available in the Networking Blade as shown below.

2. Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Access Restrictions
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions

You will be taken to the Access Restrictions blade as shown below.

Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Access Restrictions
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions
Advertisements

Below are the components of the Access Restrictions blade highlighted in the above screenshot.

  1. The first tab shows all the access restrictions applied the Azure app service.
  2. The Second tab shows all the access restrictions that are applied for the Kudu website. You can learn more about Kudu at https://praveenkumarsreeram.com/2016/11/23/azure-app-service-and-kudu-the-deployment-framework/  .
  3. Add Rule button can be used create a new rule to be applied for the access restrictions of the app service.
  4. And finally you can view all the existing access restrictions that are available for the current app service.
Advertisements

Let’s now add new access restriction rule on the app service by clicking on the Add Rule button.

In the Add Access Restriction blade, you can provide the following values to create a new Allow/Deny rule.

ParameterDescription
NameThe name of the rule.
ActionAllow – selecting this option will let the user access the App Service from the given IP Address (in the IP Address Block) Deny – selecting this option will NOT let the user access the App Service from the given IP Address (in the IP Address Block)
PriorityThe priority given for this rule.
TypeSelect IPV4 (more on this below)
IP Address BlockProvide the IP Address Range. If you would like to mention only one IP Address then provide something in this format 1.1.1.1/32
Advertisements

Note: This article focuses on the type IPV4. The process for IPv6 is also same. However, the Access Restrictions feature allows us to control the access using the below types.

4. Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Access Restrictions - Source Settings
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – Source Settings

You can leave the rest of the fields as they are not mandatory and click on the Add Rule button to add the rule. Once the rule is added. You notice the below two changes.

Advertisements
  1. The new rule with the values that you have provided will be added.
  2. The existing Allow All rule with Priority 1 will be changed into Deny Rule with a priority 2147483647
5. Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Access Restrictions - AppService Tab
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – App Service Tab

Once you add a new rule (either Allow or Deny) a Deny All rule (shown in the above screen) will be created and no one will be allowed to access the rule except the Allow rules ones which are allowed explicitly using the Access Restriction blade.

Advertisements

That’s it. We have added an Allow rule for a Single IP Address to access the Azure App Service. Users from other IP Addresses will not be able to access the Azure App Service. If they try to access then they would receive an error with the message “Error 403 Forbidden – The web app your have attempted to reach has blocked your access” as shown below.

6. Azure DevOps - Access Restriction of Azure App Service using Azure Management Portal - Access Restrictions - Access Forbidden
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – Access Forbidden

In this article, we have learnt how to manually allow/deny the access to a single IP Address using the Azure Management Portal. In the next article, we will learn how to perform Bulk insertion of the IP Addresses using PowerShell.

Hope it helps. Happy learning.

3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s