3

I have a Web API hosted in Azure App Services, and I want to use the restriction tool to restrict traffic for every single IP that exists, with the exception of the ip address that we want to actually call this service.

How should I proceed? This answer show the correct way to block a single IP, and even mention that you can block a range of IP, but I don't really know how to block a range, as there's not two input boxes to write a range.

enter image description here

Can you help me out please? Thank you!

SamyCode
  • 928
  • 3
  • 14
  • 33

2 Answers2

3

So, after digging even more around, I found the way. The issue is that the ip address input box expects either an ip or a range of ips based on CIDR notation. In CIDR notation, to block everything, you will write: 0.0.0.0/0

If you don't know CIDR notation, you can use this builder.

EDIT:

To allow only one ip address, is enough to create a rule allowing just that one. This will automatically block every call from other ip addresses.

SamyCode
  • 928
  • 3
  • 14
  • 33
  • So you added an Allow rule for your one address and then a Deny rule with 0.0.0.0/0? – juunas Jun 15 '21 at 05:49
  • From my understanding you create an allow rule with 0.0.0.0/0 as the CIDR (IP address). This will the create a block rule from all IP addresses and you are unable to have 0.0.0.0 as an IP as it is reserved – blockingHD Jun 15 '21 at 09:53
  • I tried this, it does add the Rule to the list so that works fine, but the "Allow all" won't change to "Deny all" (if I use the AZ command or ARM template to add the Rule, but from the UI it does change it to Deny all), how is this possible? – muyat Jan 17 '23 at 09:13
  • @muyat do you want to allow just one IP? – SamyCode Feb 08 '23 at 20:50
1

This would be better handled using the Azure CLI, not the portal.

Here is an Allow Example

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name developers --action Allow --ip-address 192.168.4.1/32 --priority 200

Here is a Deny Example

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name developers --action Deny --ip-address 0.0.0.0/0 --priority 500

https://learn.microsoft.com/en-us/cli/azure/webapp/config/access-restriction?view=azure-cli-latest

Ken W - Zero Networks
  • 3,533
  • 1
  • 13
  • 18
  • I tried this, it does add the Rule to the list so that works fine, but the "Allow all" won't change to "Deny all", how is this possible? – muyat Jan 17 '23 at 09:12