Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell

Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell

Advertisements

This article is divided into below three parts.

  1. Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – We will learn how to restrict the access to the Azure App Service manually using the Azure Portal.
  2. Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – We learn how to leverage PowerShell scripting to dynamically do bulk insertion of IP Addresses for configuring access restrictions for the Azure App Service.
  3. Azure DevOps – Automate Bulk IP Address Restriction of Azure App Service dynamically using PowerShell & Azure DevOps Pipeline We will learn how to automate the process of Access Restriction every time there is a change in the list of IP addresses using Azure DevOps Pipelines.
1.Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - Methods
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Methods
Advertisements

Prerequisites:

  1. Azure Subscription
  2. Azure App Service
  3. PowerShell Core
  4. Azure PowerShell
  5. Visual Studio Code
Advertisements

Introduction

In the previous article Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal we have learnt how to manually add an Allow or Deny rule using the Azure Management Portal in the Networking / Access Restrictions blade by providing the below information.

Advertisements

In the Add Access Restriction blade, you can provide the following values to create a new Allow/Deny rule.

ParameterDescription
NameThe name of the rule.
ActionAllow – selecting this option will let the user access the App Service from the given IP Address (in the IP Address Block) Deny – selecting this option will NOT let the user access the App Service from the given IP Address (in the IP Address Block)
PriorityThe priority given for this rule.
TypeSelect IPV4 (more on this below)
IP Address BlockProvide the IP Address Range. If you would like to mention only one IP Address then provide something in this format 1.1.1.1/32

When we did that, the rules are created and stored inside the ipSecurityRestrictions array of the Azure App Service Properties. We can review that Properties using the resources.azure.com website as shown below.

2.Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - Resources
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Resources

If you would like to add multiple IP Addresses in a single shot, then it is preferable to add those multiple IP Address to this array.

Advertisements

In this article, we are going to get the reference of this config properties, modify the ipSecurityRestrictions array and update the App Service Properties.

Below is the logic that we are going to implement in this article using PowerShell.

3.Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - Flow Chart
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Flow Chart

Let’s create a new file that contains all the IP Addresses that we would like to Allow / Block. I have created a File named IPAddress.txt. It’s a Comma Separated file as shown below.

4. Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - IPAddresses File
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – IPAddresses File

Create a new PowerShell File named ReadIPAddress.ps1 using Visual Studio Code using the below code.

Advertisements
Param( 
    [Parameter(Mandatory = $true)] 
    [string] $ResourceGroupName, 
    [Parameter(Mandatory = $true)] 
    [string] $WebAppName, 
    [Parameter(Mandatory = $true)]
    [string] $IPAddressSourceFileName
)
#Step1 - Get All IP Addresses from the File
$SourceIPAddresses = (Get-Content $IPAddressSourceFileName).Trim() | ConvertFrom-Csv

#Step2 - Get All existing IP Addresses from the Config of App Service
$APIVersion = ((Get-AzResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
$config = (Get-AzResource -ResourceType Microsoft.Web/sites/config -Name $WebAppName -ResourceGroupName $ResourceGroupName  -ApiVersion $APIVersion)

#Step3 - Prepare the new IP Addresses list from that IPAddressList file and collect all the new ones into the  $IpSecurityRestrictions collection
foreach($item in $SourceIPAddresses){
    $Rule=$config.Properties.ipSecurityRestrictions | Where-Object { $_.ipAddress -eq $item.IPAddress}
     if($null -ne $Rule)
     {
         Write-Host -ForegroundColor Green 'No Action on the IP:' $item.ipAddress
     }
     else
     {
        $config.Properties.ipSecurityRestrictions+=$item
    }
}
#Step4 - Finally update the new IP Addresses to Azure App Service
Set-AzResource -ResourceId $config.ResourceId -Properties $config.Properties -ApiVersion $APIVersion -Force

Advertisements

In Order to run the above command from Visual Studio Code, navigate to the Terminate and run the below command

.\ReadIPAddresses.ps1 azdevops-rg-eus-dev azuredevops-wapp1-eus-dev IPAddresses.txt

Once you run the above command, you would see the output as shown below.

5. Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - Output
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Output
Advertisements

Finally, all the IP Addresses will be added to the Access Restrictions blade as shown below.

Azure DevOps - Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - Final Access Restrictions
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Final Access Restrictions

That’s it. We have learnt how to add the rules using the PowerShell from your local machine. In the next article, we will learn how to automatically run this using Azure DevOps pipelines.

Advertisements

Do you like this article? If you want to get more updates about these kind of articles, you can join my WhatsApp group at Azure DevOps World 

Advertisements
Advertisements

4 comments

  1. Hello Praveen sir,

    Can you please write down how to integrate warmup urls script into Azure DevOps pipeline (Either use Powershell or Json)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s