Windows Azure - restricting the IP address rage to access a WebRole

Question

Is it possible to restrict the access to a Azure WebRole to a list of IP ranges. I saw there are a number of articles explaining how to configure the firewall for accessing an SQL Azure instance but what about the WebRoles / WorkerRoles?

Thank you, Luc

Answer 1

Since Azure SDK 2.4 there has been a possibility to use Access Control List (ACL) to apply IP restrictions for your cloud services. I wrote a blog post on this: http://www.henrihietala.fi/apply-ip-restrictions-for-azure-cloud-service/

Just add the ACL in your ServiceConfiguration.Cloud.cscfg:

<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="MyWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-06.2.4">
  <Role name="MyWebRole">
    ...
  </Role>
  <NetworkConfiguration>
    <AccessControls>
      <AccessControl name="ipRestrictions">
        <Rule action="permit" description="allowed-edu" order="100" remoteSubnet="137.133.228.111/32" />
        <Rule action="permit" description="allowed-test" order="101" remoteSubnet="168.61.66.2/32" />
        <Rule action="permit" description="allowed-prod" order="102" remoteSubnet="168.61.66.131/32" />
        <Rule action="deny" description="Others" order="800" remoteSubnet="0.0.0.0/0" />
      </AccessControl>
    </AccessControls>
    <EndpointAcls>
      <EndpointAcl role="MyWebRole" endPoint="Endpoint1" accessControl="ipRestrictions" />
      <EndpointAcl role="MyWebRole" endPoint="HttpsIn" accessControl="ipRestrictions" />
    </EndpointAcls>
  </NetworkConfiguration>
</ServiceConfiguration>

Be careful with rule attributes. Your deployment will fail if you have specified the same order number or description twice or the IP address in remoteSubnet is incorrect.

Answer 2

Microsoft provides the recipe for doing this in this May 2012 article http://msdn.microsoft.com/en-us/library/windowsazure/jj154098.aspx.

You can restrict a Windows Azure web role access to a set of specified IP addresses by modifying your IIS web.config file and creating a command file which unlocks the ipSecurity section of the ApplicationHost.config file.

Answer 3

Since V1.3 of the SDK (and now V1.4), full IIS support and Startup tasks have been available to help solve this issue.

I've blogged about this http://blog.bareweb.eu/2011/04/restricting-access-by-ip-in-azure-web-role-v1-4/

You can use ipSecurity in web.config, but you must also do some work regarding installing the IPSec module into IIS.

Regards Andy

Answer 4

I have not personally done this in Azure yet, but have you tried just using the IIS7 IP security feature via the system.webServer/security/ipSecurity configuration element?