How to setup IP Security Restrictions for an Azure App Service


I wrote an article here that describes how to connect to a Web App from IIS manager. If you cannot do that, read down at the bottom of the article where I show the configuration you can add to the web.config manually.

Here is a document that discusses this feature in more detail.

Once you have configured the App Service with the IIS Management console, you will see the IP Address and Domain Restrictions icon, similar to that in Figure 1.
222
Figure 1, setup IP security restrictions for an Azure App Service (Web App, Mobile App, API App, Logic App)

As a test I am going to Deny access to my IP address for this Web App. I found my IP address here. With that information I added it to the Deny Restriction Rule, as shown in Figure 2.
223
Figure 2, adding an IP deny restriction rule to an Azure App Service

Clicked OK which added the Deny rule to the configuration. You should see the rule added to the feature pane similiar to that in Figure 3.
224
Figure 3, adding an IP deny restriction rule to an Azure App Service

NOTE: I did see a lag between the time I created this rule and the time it started acting as I expected. To make it effective quickly, I scaled up or down so my VM is recreated and it work immediately after that.
If you select Edit Feature Settings as shown in Figure 3, you can control the response (Deny Action Type) IIS sends to the client, see Figure 4.

225
Figure 4, adding an IP deny action type an Azure App Service

Where Unauthorized returns a 401, Forbidden a 403, Not Found a 404 and Abort, I received a 502.
You can also configure Dynamic IP Restrictions by clicking on the Edit Dynamic IP Restrictions, also shown in Figure 3 previously. Clicking on that link renders this window, Figure 5, for making the configurations.

226
Figure 5, adding an IP deny action type an Azure App Service

You can read about Dynamic IP Restrictions here for the details. Quoted from this page „The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks.“

Comments (4)

  1. Darrell Sveistrup says:

    You tile says for Azure App, but its just doing IIS

    1. @Darrell, the first sentence has a link where I show how to connect the IIS manager to an App Service. IMO it is easier and more safe to make this change via the IIS manager versus manually adding it to the configuration file. Here is the link JIC: https://blogs.msdn.microsoft.com/benjaminperkins/2014/08/05/configure-remote-iis-administration-for-microsoft-azure-web-sites/

  2. Jason Coleman says:

    Up at the top of the article you mention showing how to add these restrictions manually via web.config, but I don’t see that anywhere.

    1. @Jason, yep. I will update the blog ASAP. Until then you can look at the code snippets at these URLs that show the XML for the web.config page.
      https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity
      https://www.iis.net/configreference/system.webserver/security/ipsecurity

Skip to main content