How to restrict IP addresses with an Azure App Service / Web App
Solution 1
App Service provides UX for this under Networking > Ip Restrictions
From here you can block a specic ip address or a range of address:
If you want to do it through web.config you will need to use XDT Transforms
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<security>
<ipSecurity xdt:Transform="RemoveAttributes(allowUnlisted)">
<add ipAddress="204.79.197.200" allowed="true" xdt:Transform="Insert"/>
</ipSecurity>
</security>
</system.webServer>
</configuration>
You can read more about XDT transforms and app service here: https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
Solution 2
Yes, ipSecurity section in web.config works with Azure App Services.
What are the steps to get a simple IP address blocking (black list) set up with a web app hosted on Azure?
<system.webServer>
<security>
<ipSecurity>
<add ipAddress="x.x.x.x" allowed="false" />
</ipSecurity>
</security>
</system.webServer>
We also could connect to a WebApp from IIS manager and we then can config restrict IP easily. More detail info please refer to blog.
Related videos on Youtube
Armin
Updated on September 15, 2022Comments
-
Armin over 1 year
Does the ipSecurity section in web.config works with Azure App Services?
What are the steps to get a simple IP address blocking (black list) set up with a web app hosted on Azure?
-
juunas over 6 years@Jaxidian Tom Sun's answer shows that you can indeed use the IP security module as normal. An ASE is required when you need stronger isolation, since the app is public if it is not in an ASE.
-
-
Armin over 6 yearsI noticed a Germany-based bot bombarding my site with the IP address 78.46.128.0 However, adding this IP to the ipSecurity section caused absolutely no effect. Is it because the address ends with .0? (in overall, indeed, the blocking works, tested with my own IP)
-
Tom Sun - MSFT over 6 yearsIt is very odd about that. Base on my knowledge,it should work for all vaild IPs. We also could get more info about ipsecurity from the official document.
-
Armin over 6 yearsIt's weird, indeed. I also tried to flag the "Enable Proxy Mode" option, with no difference though.
-
Tom Sun - MSFT over 6 yearsDo you have a try to use the dynamic IP restriction setting?
-
Jaywaa over 6 yearsHow do you block a specific IP address using the Azure UI? Entering one seems to restrict access to only that IP.
-
Veselin Vasilev about 6 yearsI don't think ipSecurity at web.config level works on Azure App Service unfortunately
-
Matthew almost 6 yearsNote that the UI for IP address restrictions seems to knock back on any Azure AD authentication that you might have turned off! This took me ages to work out.
-
Matthew almost 6 years@Jaywaa blocking IP addresses is still being worked on by Microsoft github.com/MicrosoftDocs/azure-docs/issues/8043
-
Josh Noe over 5 yearsThis no longer works the way described here. Now, if you add any rule (Allow or Deny), all IP addresses are blocked except the Allow ones. AFAIK it's no longer possible to blacklist IPs, only whiltelist.
-
drewmerk over 4 years@JoshNoe It is possible to blacklist an IP from the Azure Portal UI. You have to explicitly create an "Allow All" rule first. See this article for more details (3/4 of the way down the page) - docs.microsoft.com/en-us/azure/app-service/…