1

Background:

I'm hosting 2 separate Website instances - 1 for a WebAPI2 "API", and 1 as an MVC5 "Client" that consumes said API. I would like to restrict access for the "API" to the "Client" (there are multiple clients)

(I've only seen answers for Cloud Services or VMs, so wanted to ask if there was anything I could use for Websites. I don't want to use a cloud service or a VM, as the website is faster, lighter, cheaper - which is what I need.... could not find a firewall feature for Websites in Azure.)

Problem:

I believe I can limit access to the "API" by setting parameters in the project's Web.Config file. But nslookup in the command prompt yields the same IP Address for all azure websites under my account.

Question:

How do I find the right IP Address -- one that the "Client" website will use to access the "API" Website instance?

If there is a better way to restrict access...please do suggest it.

ASX
  • 635
  • 7
  • 18

1 Answers1

1

You cannot secure your site by IP ACLing as web sites in Azure are running in a multi-tenant environment and they share set of IP addresses (IP addresses are per DC).

You need to rely on different security mechanisms (using some secret which only client/server know etc.).

Hope that helps.

You can also take a look at How to determine Azure website outgoing IP Address?

Petr

Community
  • 1
  • 1
Petr Podhorsky
  • 701
  • 3
  • 5
  • Another way how to find outgoing IP address is here: http://blogs.msdn.com/b/waws/archive/2014/07/01/get-the-outgoing-ip-address-of-your-azure-web-site.aspx But as I said, other sites will share the same IP address, so you would lock it down, but not entirely (not only for your site). – Petr Podhorsky Jul 14 '14 at 17:08
  • so there is no way to "firewall" the API server, when deployed as a website....? If i need some sort of firewall (rather than just key authentication - so that unauthorized requests don't actually hit my app) is the Cloud Service the only real way to go? – ASX Jul 14 '14 at 18:54
  • after looking through it all, i guess it is...pity. Thanks for the answer! – ASX Jul 14 '14 at 19:01
  • You can use IP filtering on your API site, but the problem here is that the IP address for your "Client" is not dedicated to "Client" only. For filtering incoming requests, you can use http://azure.microsoft.com/blog/2013/12/09/ip-and-domain-restrictions-for-windows-azure-web-sites/ – Petr Podhorsky Jul 14 '14 at 22:08