Restrict access to non production environments (Azure App Service)

1
votes

Non-production environments like staging, acceptance and testing are slots under a single App Service. I'd like to limit access to these environments to a specific set of users. The goal is to make the website fully functional for these users for testing. So disabling registration is not a simple solution. This is not about the management of the app service in Azure but rather about directly accessing the web application by visiting the web application URL.

I tried using BasicAuth as the first level authentification to access the app service but this did not work due to conflict with the existing authentification.

Then I've tried using ipSecurity rules in Web.Config. However, I cannot find how to only enable these restrictions when the app service is in non-production mode. I do not want a solution in which I have to manually have to add and remove IP rules.

<system.webServer>
  <security>
    <!-- How to disable the following rule in production -->
    <ipSecurity allowUnlisted="false" denyAction="Forbidden">
      <add allowed="true" ipAddress="203.0.113.0" subnetMask="255.255.255.0"/>
    </ipSecurity>
  </security>
  </system.webServer>

Another argument against IP rules is that the users which must have access often connect from dynamic IPs.

Each environment has a unique URL and an application setting with the name of the environment it is in.

How can I add another layer of authentication on these non-production environments without having to manually change files?

2
asp.netazureiisweb-configazure-web-app-service
did you look at Role based access control RBAC for Azure app services ? blogs.msdn.microsoft.com/waws/2015/01/07/…Aravind
Thanks, but I did not mean management of the app service, but rather direct access to the web application. I'll update my question to make this clearer.Waaghals
"Non-production environments like staging, acceptance and testing are slots under a single App Service." - This is not correct design! Deployment slots are used for deployment purposes. All slots share same pool of resources (hardware). If you consider to use slots as staging, acceptance and testing purposes the performance of your web app will be degradedDevUser

2 Answers

1
votes

Thee are two ways you can consider to dissable access to non-production slots:

  1. As explained here: https://ruslany.net/2014/04/azure-web-sites-block-web-access-to-non-production-deployment-slots/ user rewrite rule in site’s web.config file
  2. Use IP restrictions configuration for the particular slots in Azure portal. You can read here that IP restrictions is not swapped configuration. So each slot can have own set of IP configurations: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

Note: "Non-production environments like staging, acceptance and testing are slots under a single App Service." - This is not correct design! Deployment slots are used for deployment purposes - test/verification before deployment, zero-downtime deployment. All slots share same pool of resources (hardware). If you consider to use slots as environment for staging, acceptance and testing purposes the performance of your web app will be very much degraded.

-1
votes

Based on my understanding, you want to allow the specific user to access the url, so we need to manage the user. We can use AD authorization to that. As the WebApp slot is a regular Azure WebApp, so we need to config it for each slot. We can get more info from the article.

It's important to emphasize that the slot is in itself a regular Azure Web App, it will have its own app settings, connection string, any other configuration settings and even an scm site (https://mysite-staging.scm.azurewebsites.net).

Please have a try to do that with Azure portal. The following the detail steps:

1.Config the AD authorization according the official document.

2.Find the registered Application in the Azure AD

enter image description here

3.If we just want to allow assigned user in the Azure AD to login, we need to set [User assignment required] ->Yes

enter image description here

4.Add specific user for accessing the WebApp.

enter image description here

enter image description here

5.Try to visit the WebApp using browser and input the user name and password to login

enter image description here

6.Click [Accept] button then it will worked as expected