We welcome user feedback and feature requests!

Allow Azure App Service IP Restriction configuration by PowerShell Script

At the moment an Azure App service has the ability to white list IP addresses through the Networking > IP Restriction blade. It would be useful if this could be configured through PowerShell.

120 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Graham Williamson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    19 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • John Delisle commented  ·   ·  Flag as inappropriate

        I can't believe this is still not available.

        We want to use Azure App Service, in combination with Azure Traffic Manager. We need to restrict access to the App Service based on egress IP of our systems. We thought this was a great fit, until we realized there's no simple way to permit Azure Traffic Manager to communicate with an App Service where IP restrictions prevent general internet access.

        We found a published list of Azure Traffic Manager egress IPs used for probing, and thought "HEY! No big deal! A little Powershell in an Azure Automation Account runbook and we can keep the rules fresh with both TM IPs and our IPs!". Apparently not.

        Powershell, ARM, and CLI support should be available DAY 1 on any Azure feature or service.

      • Steve Burkett commented  ·   ·  Flag as inappropriate

        You probably figured it out Ben, but if not, you'd do something like the following:

        Param(
        [string] $ResourceGroupName = "YOUR-RG",
        [string] $AppName = "YOUR-APP",
        [string] $SubscriptionId = "YOUR-SUBID"
        )

        function AddRules($rulesToAdd) {
        $rules = @()
        foreach ($item in $rulesToAdd) {
        $rule = [PSCustomObject]@{ipAddress = $item.ipAddress ; action = $item.action ; tag = $item.tag ; priority = $item.priority ; name = $item.name ; description = $item.description }
        $rules += $rule

        }
        return $rules
        }

        [PSCustomObject]$rulesToAdd = @{ipAddress = "13.75.150.96/32"; action = "Allow" ; tag = "Default" ; priority = "60"; name = "MicrosoftAITestSvr-AE-1"; description = "Application Insights Test Server"},`
        @{ipAddress = "13.75.153.9/32"; action = "Allow" ; tag = "Default" ; priority = "61"; name = "MicrosoftAITestSvr-AE-2"; description = "Application Insights Test Server"},`
        @{ipAddress = "13.75.158.185/32"; action = "Allow" ; tag = "Default" ; priority = "62"; name = "MicrosoftAITestSvr-AE-3"; description = "Application Insights Test Server"}

        Login-AzureRmAccount

        Select-AzureRmSubscription -SubscriptionId $SubscriptionId

        $APIVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]

        $WebAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $AppName -ResourceGroupName $ResourceGroupName -ApiVersion $APIVersion)

        $WebAppConfig.Properties.ipSecurityRestrictions = AddRules -rulesToAdd $rulesToAdd

        Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion $APIVersion

      • Ben Ackland commented  ·   ·  Flag as inappropriate

        Has anyone been able to set the Name of the rules they create using this technique? I'm able to create all the rules I need but the Name and Description props arent set.

      • Ben Ackland commented  ·   ·  Flag as inappropriate

        For bulk:

        Param(
        [string] $ResourceGroupName = "YOUR-RG",
        [string] $AppName = "YOUR-APP",
        [string] $SubscriptionId = "YOUR-SUBID",
        )

        function AddRules($rulesToAdd) {

        $rules = @()
        foreach ($item in $rulesToAdd) {

        $rule = [PSCustomObject]@{ ipAddress = $item.ip ; subnetMask = $item.subnet }

        $rules += $rule
        }
        return $rules
        }

        Login-AzureRmAccount

        Select-AzureRmSubscription -SubscriptionId $SubscriptionId

        $WebAppConfig = Get-AzureRMResource -ResourceName $AppName -ResourceType Microsoft.Web/sites/config -ResourceGroupName $ResourceGroupName -ApiVersion 2016-08-01

        $rulesToAdd = #get your rules from somewhere

        $WebAppConfig.Properties.ipSecurityRestrictions =AddRules -rulesToAdd $rulesToAdd

        Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion 2016-08-01

      • Wesley commented  ·   ·  Flag as inappropriate

        The single ip-address PS thing works for me, how can we do a bulk import?

      • Anders Wahlqvist commented  ·   ·  Flag as inappropriate

        @Anonymous : Also try to add ".ToString()" to the ipAddress property, like this:
        $WebAppConfig.Properties.ipSecurityRestrictions = @([PSCustomObject] @{ ipAddress = '127.0.0.1'.ToString() ; subnetMask = '255.0.0.0' })

        And see if that helps.

      • Anders Wahlqvist commented  ·   ·  Flag as inappropriate

        Sorry for my late response!

        It should definitively work, we're doing it constantly using that approach without any issues so it seems you're doing something differently, not sure what though I'm afraid.

        A guess though... Are you writing back the entire config section and not only the IP restriction part? ($config.Properties basically).

        Try using ApiVersion 2016-08-01 by the way, I know that should work currently.

      • Anonymous commented  ·   ·  Flag as inappropriate

        @Anders Wahlqvist , that doesn't work unfortunately. It all works nice and fine until you try to commit that change

        Set-AzureRMResource : {"Code":"BadRequest","Message":"HTTP request body must not be empty.","Target":null,"Details":[{"
        Message":"HTTP request body must not be empty."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51016","MessageT
        emplate":"HTTP request body must not be empty.","Parameters":[],"Code":"BadRequest","Message":"HTTP request body must n
        ot be empty."}}],"Innererror":null}
        At line:1 char:1
        + Set-AzureRMResource -ResourceId $config.ResourceId -Properties $confi ...
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : CloseError: (:) [Set-AzureRmResource], ErrorResponseMessageException
        + FullyQualifiedErrorId : BadRequest,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResou
        rceCmdlet

      • Anders Wahlqvist commented  ·   ·  Flag as inappropriate

        This has actually been possible for quite some time, maybe not completely straight forward compared to having support for it in the AzureRm.Websites cmdlets but to give you a hint (you obviously want to change the array of IP addresses you're adding):

        $WebAppConfig = Get-AzureRMResource -ResourceName MyWebApp -ResourceType Microsoft.Web/sites/config -ResourceGroupName MyResourceGroup

        $WebAppConfig.Properties.ipSecurityRestrictions = @([PSCustomObject] @{ ipAddress = '127.0.0.1' ; subnetMask = '255.0.0.0' })

        Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion 2016-08-01

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any updates? Why cant you guys just use security groups like aws? We have to jump through a ton of hoops just to allow Traffic manager to probe an app service?

      Feedback and Knowledge Base