9

Does the ipSecurity section in web.config works with Azure App Services?

What are the steps to get a simple IP address blocking (black list) set up with a web app hosted on Azure?

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
Armin
  • 91
  • 1
  • 1
  • 4
  • I'm not very familiar with this but I think this is where you need to use advanced networking features to control that. In order to do that, I think you have to use an ASE (Application Service Environment). They cost a bit more - I've not actually done this before. Hopefully this at least gets you started in the right direction. Somebody else can probably provide more/better info while you go research based on this tip though. :-) – Jaxidian Aug 31 '17 at 21:38
  • 1
    @Jaxidian Tom Sun's answer shows that you can indeed use the IP security module as normal. An ASE is required when you need stronger isolation, since the app is *public* if it is not in an ASE. – juunas Sep 01 '17 at 06:31
  • @juunas Thanks for correcting me! That's precisely why I started by stating I wasn't very familiar with this. Glad this was easier than what I had thought! :-) – Jaxidian Sep 01 '17 at 16:59

2 Answers2

10

App Service provides UX for this under Networking > Ip Restrictions

IP Restrictions

From here you can block a specic ip address or a range of address:

Block ip addresses

If you want to do it through web.config you will need to use XDT Transforms

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.webServer>
    <security>
      <ipSecurity xdt:Transform="RemoveAttributes(allowUnlisted)">
        <add ipAddress="204.79.197.200" allowed="true" xdt:Transform="Insert"/>
      </ipSecurity>
    </security>
  </system.webServer>
</configuration>

You can read more about XDT transforms and app service here: https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples

Byron Tardif
  • 1,172
  • 6
  • 16
  • 2
    How do you block a specific IP address using the Azure UI? Entering one seems to restrict access to only that IP. – Jaywaa Jan 11 '18 at 09:25
  • Note that the UI for IP address restrictions seems to knock back on any Azure AD authentication that you might have turned off! This took me ages to work out. – Matthew May 15 '18 at 02:14
  • @Jaywaa blocking IP addresses is still being worked on by Microsoft https://github.com/MicrosoftDocs/azure-docs/issues/8043 – Matthew May 15 '18 at 02:23
  • 1
    This no longer works the way described here. Now, if you add any rule (Allow or Deny), *all* IP addresses are blocked except the Allow ones. AFAIK it's no longer possible to blacklist IPs, only whiltelist. – Josh Noe Dec 06 '18 at 22:48
  • 2
    @JoshNoe It is possible to blacklist an IP from the Azure Portal UI. You have to explicitly create an "Allow All" rule first. See this article for more details (3/4 of the way down the page) - https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions – drewmerk Nov 06 '19 at 15:53
2

Yes, ipSecurity section in web.config works with Azure App Services.

What are the steps to get a simple IP address blocking (black list) set up with a web app hosted on Azure?

 <system.webServer>
        <security>
            <ipSecurity>
                <add ipAddress="x.x.x.x" allowed="false" />
            </ipSecurity>
        </security>
    </system.webServer>

We also could connect to a WebApp from IIS manager and we then can config restrict IP easily. More detail info please refer to blog.

enter image description here

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
  • I noticed a Germany-based bot bombarding my site with the IP address 78.46.128.0 However, adding this IP to the ipSecurity section caused absolutely no effect. Is it because the address ends with .0? (in overall, indeed, the blocking works, tested with my own IP) – Armin Sep 01 '17 at 06:58
  • It is very odd about that. Base on my knowledge,it should work for all vaild IPs. We also could get more info about ipsecurity from the [official document](https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/). – Tom Sun - MSFT Sep 01 '17 at 07:11
  • It's weird, indeed. I also tried to flag the "Enable Proxy Mode" option, with no difference though. – Armin Sep 01 '17 at 07:21
  • Do you have a try to use the dynamic IP restriction setting? – Tom Sun - MSFT Sep 01 '17 at 07:25
  • I don't think ipSecurity at web.config level works on Azure App Service unfortunately – Veselin Vasilev Mar 16 '18 at 04:22