13

I'm using ARM templates to deploy to Azure Web Apps, the site is deployed to a number of environments, with the ARM Template accepting different parameters for each.

One of the requirements is to enable an IP block on the site in some environments but not others. This can be done through web.config but this isn't ideal as I manager all app settings through ARM and do a webdeploy of zipped site. Adding transforms for each environment would be a pain and require significant rework.

I'd like to specify something like this in my our template file:

   {
      "type": "config",
      "apiVersion": "2015-08-01",
      "name": "web",
      "properties": {
        "ipSecurityRestrictions": {
          "allowUnlisted": false,
          "ipAddresses": [ "127.0.0.1", "127.0.0.2" ]
        }
      },
      "dependsOn": [
        "[concat('Microsoft.Web/sites/', parameters('nameofwebapp'))]"
      ]
    }

Browsing the resource provider for "Microsoft/Web" with resources.azure.com it appears that this might be possible as there is a "ipSecurityRestrictions" property on "config/web".

ARMView

The ARM Explorer code shows it here and hints as it's usage. I can also find a past usage of it in the .netSDK here (Run out of allowed links).

When I attempt to set this using resources.azure.com I get no feedback and it returns to be null.

Can anyone help with details on how I can use this property?

lawrencegripper
  • 597
  • 5
  • 12

3 Answers3

14

That setting is for allowed IP address rather than exclusions - you can set via https://resources.azure.com/

Usage example is:

"ipSecurityRestrictions": [
  {
    "ipAddress": "12.23.254.3",
    "subnetMask": "255.255.0.0"
  }
]
Jamie D
  • 256
  • 3
  • 7
  • 1
    That worked perfectly! web element from ARM template now looks like this `{ "type": "config", "apiVersion": "2015-08-01", "name": "web", "properties": { "ipSecurityRestrictions": [ { "ipAddress": "11.11.11.11", //Only allow this ip, block all others "subnetMask": "255.255.255.255" } }, "dependsOn": [ "[concat('Microsoft.Web/sites/', parameters('nameofwebapp'))]" ] }` – lawrencegripper May 12 '16 at 08:18
  • 2
    You can use parameters as well for this, here is an example of a set of IP addresses to allow as an array parameter { "name": "web", "type": "config", "apiVersion": "2015-08-01", "dependsOn": [ "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]" ], "tags": { "displayName": "Allowed IPs" }, "properties": { "ipSecurityRestrictions": "[parameters('ipRangesPermitted')]" } } Put this under the 'resources' for the Wesite – TimBunting Aug 31 '17 at 08:30
8

I've had to add siteConfig and place the ipSecurityRestrictions there to make it work:

{
    "apiVersion": "2015-06-01",
    "name": "[parameters('siteName')]",
    "type": "Microsoft.Web/Sites",
    ...
    "properties":{
        "siteConfig":{
            "ipSecurityRestrictions" : {
                 "ipAddress": "123.123.123.123"
            }
        }
    },
    "resources" : {
        ...
    }
}
Lars Celie
  • 622
  • 5
  • 17
0

Just add things to Lars' answer. For people who's using standard logic app and Bicep, it's pretty similar.

@description('Ip restrictions')
param iprestriction array


resource logicApp 'Microsoft.Web/sites@2022-03-01' = {
  name: logicAppName
  location: location
  kind: 'functionapp,workflowapp'
  ...
  properties: {
    httpsOnly: true
    serverFarmId: appServicePlan.id    
    siteConfig: {
      ipSecurityRestrictions: iprestriction
      appSettings: [
        {
          name: 'APP_KIND'
          value: 'workflowApp'
        }
        ...
      ]
    }
  }
}

The parameter file looks like the following

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "Version": {
        "value": "1.0.0"
    },
    "iprestriction": {
        "value": [
            {
                "ipAddress": "10.0.0.0/24",
                "action": "Allow",
                "priority": 100
            },
            {
                "ipAddress": "192.168.0.0/24",
                "action": "Allow",
                "priority": 200
            }
        ]
    }
}
}
wei
  • 4,267
  • 2
  • 23
  • 18