How can I make an Azure Web Role accessible only via Virtual Network

Question

I have a web role that I have configured via the NetworkConfiguration section of the .cscfg to be part of a Virtual Network. I only want the web role to be accessed from other computers within the Virtual Network, not from the public internet.

Initially I had created an input endpoint for port 80, and this allows me to access the web role from a computer on the virtual network, and from the public internet.

I then changed this to an internal endpoint for port 80, but this blocked all access from both the public internet and computers on the virtual network.

How can I block public internet access, but allow access via the virtual network?

Answer 1

You may be able to do so, by editing the ACL on the endpoint tab of your Web Role settings page. To do so: - Select the endpoint you would like to restrict access to and then click on Manage ACL

Defining ACL for the selected endpoint:

Then you may be able to deny access to others networks like done above Note: the subnet 0.0.0.0/0 represent the Internet, be sure to put all permit rules on top as done above

Restricting access to others network:

Answer 2

The answer above is the easiest way to update the Access Control List for Azure Virtual Machines; however, at time of writing it is not possible to directly edit the ACL for an Azure Web / Worker role. It is necessary to update the role's ServiceConfiguration.Cloud.cscfg: http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx.

Once the cloud configuration file has been updated either redeploy both this file and the packaged role. If the role has already been deployed you can also just upload the configuration file through the Azure portal, or PowerShell: http://www.devopsfu.com/2014/08/11/azure-cs-endpoint-acls/.