How to restrict access to an App Service using a setting inside the Azure Portal

Question

We have a web app that is deployed as an App Service in Azure. We would like to restrict access to it by having a white list of IP addresses that can be done in some Azure App Service setting and not in web.config that we have inside the project.

Currently, this is how we do IP address restriction in our environments.

Production: We have VNet Integration setup for the App Service. We attached an NSG to the VNet's Subnet and from the NSG we can control inbound and outbound access.

Staging: We have the following block of configuration in our web.config that contains the whitelisted IP addresses that are allowed to access the App Service in our staging server.

<security>
    <ipSecurity allowUnlisted="false" denyAction="NotFound">
        <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
        <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
    </ipSecurity>
</security>

Development(local): We have to uncomment the <security> configuration block in our local development machines coz we don't really need it. And it causes an error, please see screenshot below.

This is some the contents of the HttpFailre_09-07-33.html

Module         IpRestrictionModule
Notification   BeginRequest
Handler        aspNetCore
Error Code     0x80070021
Config Error   This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

We would like to completely remove this <security> block from web.config because for another reason, we don't want the IP addresses to reach production.

And also, we are not allowed to do VNet Integration in our Staging server (management stuff, duh! cost-cutting whatever!).

So is there a way to restrict IP addresses in Azure App Service?

Tom Sun - MSFT Tom Sun - MSFT · Accepted Answer · 2017-02-01T06:42:22

So is there a way to restrict IP addresses in Azure App Service?

1.We could use web.config to restrict IP address as you mentioned

2.We could connect to a WebApp from IIS manager and we can config restrict IP easily. More detail info please refer blog.

3.We could use REST API to do that, and we could easily do it with Azure Resource Exploer(https://resources.azure.com/). We also could do that with PowerShell cmdlets detail info please refer to another SO Thread. The following is the simple steps about how to use azure resource explorer to do that.

a. Open azure resource explorer and select the corresponding web site config web option to click the Edit button.

b. Change ipSecurityRestrictions to an array value.

c. Click the Put button to send request.

Config Error This configuration section cannot be used at this path

If we do not unlock the handlers, we need to unlock the handlers, more info please refer to another SO Thread. Following is the snipped from the SO thread.

1) In the connections tree(in IIS), go to your server node and then to your website.

2) For the website, in the right window you will see configuration editor under Management.

3) Double click on the configuration editor.

4) In the window that opens, on top you will find a drop down for sections. Choose "system.webServer/handlers" from the drop down.

5) On the right side, there is another drop down. >Choose "ApplicationHost.Config "

6) On the right most pane, you will find "Unlock Section" under "Section" heading. Click on that.

7) Once the handlers at the applicationHost is unlocked, your website should run fine.

How to restrict access to an App Service using a setting inside the Azure Portal

2 Answers