Posted by Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell
This article is divided into below three parts.
- Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – We will learn how to restrict the access to the Azure App Service manually using the Azure Portal.
- Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – We learn how to leverage PowerShell scripting to dynamically do bulk insertion of IP Addresses for configuring access restrictions for the Azure App Service.
- Azure DevOps – Automate Bulk IP Address Restriction of Azure App Service dynamically using PowerShell & Azure DevOps Pipeline We will learn how to automate the process of Access Restriction every time there is a change in the list of IP addresses using Azure DevOps Pipelines.
Prerequisites:
- Azure Subscription
- Azure App Service
- PowerShell Core
- Azure PowerShell
- Visual Studio Code
Introduction
In the previous article Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal we have learnt how to manually add an Allow or Deny rule using the Azure Management Portal in the Networking / Access Restrictions blade by providing the below information.
In the Add Access Restriction blade, you can provide the following values to create a new Allow/Deny rule.
| Parameter | Description |
| Name | The name of the rule. |
| Action | Allow – selecting this option will let the user access the App Service from the given IP Address (in the IP Address Block) Deny – selecting this option will NOT let the user access the App Service from the given IP Address (in the IP Address Block) |
| Priority | The priority given for this rule. |
| Type | Select IPV4 (more on this below) |
| IP Address Block | Provide the IP Address Range. If you would like to mention only one IP Address then provide something in this format 1.1.1.1/32 |
When we did that, the rules are created and stored inside the ipSecurityRestrictions array of the Azure App Service Properties. We can review that Properties using the resources.azure.com website as shown below.
If you would like to add multiple IP Addresses in a single shot, then it is preferable to add those multiple IP Address to this array.
In this article, we are going to get the reference of this config properties, modify the ipSecurityRestrictions array and update the App Service Properties.
Below is the logic that we are going to implement in this article using PowerShell.
Let’s create a new file that contains all the IP Addresses that we would like to Allow / Block. I have created a File named IPAddress.txt. It’s a Comma Separated file as shown below.
Create a new PowerShell File named ReadIPAddress.ps1 using Visual Studio Code using the below code.
Param(
[Parameter(Mandatory = $true)]
[string] $ResourceGroupName,
[Parameter(Mandatory = $true)]
[string] $WebAppName,
[Parameter(Mandatory = $true)]
[string] $IPAddressSourceFileName
)
#Step1 - Get All IP Addresses from the File
$SourceIPAddresses = (Get-Content $IPAddressSourceFileName).Trim() | ConvertFrom-Csv
#Step2 - Get All existing IP Addresses from the Config of App Service
$APIVersion = ((Get-AzResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
$config = (Get-AzResource -ResourceType Microsoft.Web/sites/config -Name $WebAppName -ResourceGroupName $ResourceGroupName -ApiVersion $APIVersion)
#Step3 - Prepare the new IP Addresses list from that IPAddressList file and collect all the new ones into the $IpSecurityRestrictions collection
foreach($item in $SourceIPAddresses){
$Rule=$config.Properties.ipSecurityRestrictions | Where-Object { $_.ipAddress -eq $item.IPAddress}
if($null -ne $Rule)
{
Write-Host -ForegroundColor Green 'No Action on the IP:' $item.ipAddress
}
else
{
$config.Properties.ipSecurityRestrictions+=$item
}
}
#Step4 - Finally update the new IP Addresses to Azure App Service
Set-AzResource -ResourceId $config.ResourceId -Properties $config.Properties -ApiVersion $APIVersion -Force
In Order to run the above command from Visual Studio Code, navigate to the Terminate and run the below command
.\ReadIPAddresses.ps1 azdevops-rg-eus-dev azuredevops-wapp1-eus-dev IPAddresses.txt
Once you run the above command, you would see the output as shown below.
Finally, all the IP Addresses will be added to the Access Restrictions blade as shown below.
That’s it. We have learnt how to add the rules using the PowerShell from your local machine. In the next article, we will learn how to automatically run this using Azure DevOps pipelines.
Do you like this article? If you want to get more updates about these kind of articles, you can join my Learning Groups
Praveen Kumar Sreeram's Blog 
Hello Praveen sir,
Can you please write down how to integrate warmup urls script into Azure DevOps pipeline (Either use Powershell or Json)
LikeLike
You mean, warn up the url after a deployment is complete? to avoid performance issues for the immediate request post deployment?
LikeLike