CODEWITHSUNDEEP
azurecloudfirewallazure-web-app-serviceinternal
Frank Visaggio
Frank Visaggio

Reputation: 3712

Ways to restrict Azure Website / WebApp to only be view-able internally on a vnet

So heres the two approaches I noticed. Is there any other way that I am missing and is there a favored approach? Pretty much I have a webAPI that i want to run as a webAPP and I am trying to figure out the best way to keep it internal only

One way that seems somewhat involved is the following

https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/

the second way I noticed is the following

http://www.microsofttrends.com/2014/09/30/add-a-firewall-to-your-microsoft-azure-web-site/

The latter looks quicker I am just wondering if there's a preferred way to go about this or a newer more standard way to do this?

update

As of 7/23/2015 this is not possible but the closest solution is the accepted answer. One would have to whitelist all of the public IP addresses inside of their vnets. The reason you cant specify the range of addresses in the Azure vnet is because azure websites currently run on the public internet and they have no concept of the vnet ranges. Thus they cannot see the private ip address ranges that vnets create so you cant specify them in the web.config. http://azure.microsoft.com/blog/2015/04/29/introducing-app-service-environment/ may solve this in the future

Upvotes: 2

Views: 4252

Answers (1)

Bruno Faria
Bruno Faria

Reputation: 5272

How about a simple ip security rule in web.config?

<system.webServer>   
  <security> 
    <ipSecurity allowUnlisted="false" denyAction="NotFound"> 
      <add allowed="true" ipAddress="192.168.1.0" subnetMask="255.255.255.0"/> 
    </ipSecurity> 
  </security>    
</system.webServer>

Just replace ipAddress and subnetMask to your VNet setup. You may also need to connect your web app to vnet first.

https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/

Upvotes: 4

Related Questions