Enable IP restriction for a public facing App service by info.odysseyx@gmail.com October 22, 2024 written by info.odysseyx@gmail.com October 22, 2024 0 comment 14 views 14 This blog article covers how to control app service deployments to only support public app services with IP restrictions enabled. memo: Policies should allow the end-user experience to be the same regardless of whether you deploy the app service using the Azure portal, ARM templates, or Terraform. policy definition memo: The policy below applies only to the Microsoft.Web/sites resource type. { “mode”: “all”, “Policy Rules”: { “if”: { “every”: [ { “field”: “Microsoft.Web/sites/publicNetworkAccess”, “equals”: “Enabled” }, { “anyOf”: [ { “allOf”: [ { “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictionsDefaultAction”, “notEquals”: “Deny” } ] }, { “every”: [ { “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictionsDefaultAction”, “equals”: “Deny” }, { “not”: { “count”: { “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*]”, “where”: { “count”: { “value”: “[if(equals(parameters(‘environment’), ‘prod’), parameters(‘allowedIPAddressesProd’), parameters(‘allowedIPAddressesDev’))]”, “name”: “allowedIpAddress”, “where”: { “every”: [ { “value”: “[if(equals(current(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].ipAddress’), ‘Any’), ‘true’, ipRangeContains(current(‘allowedIpAddress’), current(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions)[*].ip address’)))]”, “equal”: true } ] } }, “Bigger”: 0 } }, “equals”: “[length(field(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*]’))]” } } ] } ] } ] }, “then”: { “effect”: “[parameters(‘effect’)]” } }, “parameters”: { “effect”: { “type”: “string”, “metadata”: { “displayName”: “effect”, “description”: “Enables or disables policy enforcement.” }, “Allowed values”: [ “Audit”, “Deny”, “Disabled” ], “defaultValue”: “Thanks” }, “environment”: { “type”: “string”, “metadata”: { “displayName”: “Environment”, “description”: “Select the environment you want to apply the correct IP restrictions to.” }, “Allowed values”: [ “dev”, “prod” ], “defaultValue”: “prod” }, “allowedIPAddressesDev”: { “type”: “array”, “metadata”: { “displayName”: “IP addresses allowed for developers”, “description”: “An array containing the public IP addresses allowed for your development environment.” }, “Default”: [ “203.0.113.0/24” ] }, “allowedIPAddressesProd”: { “type”: “array”, “metadata”: { “displayName”: “IP addresses allowed for production”, “description”: “An array containing the public IP addresses allowed in the Prod environment.” }, “Default”: [ “198.51.100.0/24”, “203.0.113.5/32” ] } } } Description of Policy The above policy does not allow the creation of public app services unless public access is “disabled” or the following conditions are met: Enabled on selected network The default action should be rejected. Depending on your environment, only trusted IPs are allowed. That is, the above policy uses 198.51.100.0/25 and 203.0.113.5/32 as examples. memo: You can add more trusted IPs. The IP above is just an example. Deploy using the Azure portal When you try to deploy an app service using the Azure portal, the Networking tab shows only two options: Enable public access or Disable public access. Keeping Enable Public Access “ON” will block app service creation with the following error: Now that we know that the portal only supports enabling or disabling public access for app services, we need to create another policy that changes the settings from disable public access to enable public access with IP restrictions. After deploying the app service through the Azure portal, find below the policy that performs the deployment. policy definition The policy below identifies resources such as Microsoft.Web/sites and modifies the networking settings of the app service if it is determined that public access is disabled for the app service. You cannot create an app service with a firewall through the Azure portal; you must change it manually. memo: The policy below automatically enables IP restrictions for newly created app services using the Azure portal with public access to app services disabled. { “mode”: “all”, “Policy Rules”: { “if”: { “every”: [ { “field”: “type”, “equals”: “Microsoft.Web/sites” }, { “anyOf”: [ { “field”: “Microsoft.Web/sites/publicNetworkAccess”, “exists”: “false” }, { “field”: “Microsoft.Web/sites/publicNetworkAccess”, “equals”: “Disabled” } ] } ] }, “then”: { “effect”: “[parameters(‘effect’)]”, “details”: { “type”: “Microsoft.Web/sites/config”, “evaluationDelay”: “AfterProvisioningSuccess”, “conditions for existence”: { “field”: “Microsoft.Web/sites/config/minTlsVersion”, “equals”: “1.1” }, “name”: “Web”, “roleDefinitionId”: [ “/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772”, “/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c” ], “distribution”: { “property”: { “mode”: “incremental”, “parameters”: { “site name”: { “value”: “[field(‘name’)]” }, “ip address”: { “value”: “[parameters(‘ipAddresses’)]” } }, “template”: { “$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#“, “contentVersion”: “1.0.0.0”, “parameters”: { “site name”: { “type”: “string” }, “ip address”: { “type”: “array” } }, “resources”: [ { “type”: “Microsoft.Web/sites/config”, “apiVersion”: “2021-02-01”, “name”: “[concat(parameters(‘siteName’), ‘/web’)]”, “property”: { “publicNetworkAccess”: “enabled”, “ipSecurityRestrictionsDefaultAction”: “Deny”, “copy”: [ { “name”: “ipSecurityRestrictions”, “count”: “[length(parameters(‘ipAddresses’))]”, “input”: { “IP address”: “[parameters(‘ipAddresses’)[copyIndex(‘ipSecurityRestrictions’)]]”, “action”: “Allow”, “Priorities”: “[add(100, copyIndex(‘ipSecurityRestrictions’))]”, “name”: “[concat(‘ipRestriction_’, copyIndex(‘ipSecurityRestrictions’))]” } } ] } } ], “output”: {} } } } } } }, “parameters”: { “effect”: { “type”: “string”, “metadata”: { “displayName”: “effect”, “description”: “Enables or disables policy enforcement” }, “Allowed values”: [ “DeployIfNotExists”, “Disabled” ], “defaultValue”: “DeployIfNotExists” }, “ip address”: { “type”: “array”, “metadata”: { “displayName”: “ip address”, “description”: “A list of IP addresses that allow access to the web app.” }, “Default”: [ “198.51.100.0/24” ] } } } Deployment using ARM templates Deploy another app service with IP restrictions by exporting the ARM template of an existing app service and modifying the necessary parameters. However, that policy does not allow app service creation and is blocked with the same error message. If we look closely at the policy rules of the IP Restriction Policy, we are looking at the Microsoft.Web/sites/siteconfig field. However, the exported ARM template is using the fields below. I tried defining all these siteconfig attributes in Microsoft.Web/sites similar to what Azure policies support, and I tried deploying an ARM template and completely removed those resources from the ARM template. Deployment using Terraform Once the IP restrictions policy is in effect, try deploying an app service with IP restrictions enabled using the azurerm provider below. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app — Linux Feature App https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app —Windows Features App You need to use the above module to deploy an app service with the below properties set for the app service. Otherwise it should be supported. disclaimer Please note that the products and options featured in this article are subject to change. This document reflects custom policies for enabling IP restrictions for app services in October 2024. If the user has the necessary permissions, they can create an exemption for that resource, which will make this policy ineffective for that resource. To avoid unintended disruptions and ensure that it meets your requirements, we recommend that you test this policy in a non-production environment before applying it to your production environment. References https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#… Create policies programmatically – Azure Policy | microsoft run Troubleshoot common errors – Azure Policy | microsoft run Azure Policy overview – Azure Policy | microsoft run Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Register for the .NET Conf 2024 12 -14 Nov and the .NET Student Zone 18 & 19th Nov next post OpenAI Assistants Interactive Visualizations Using Chart.js You may also like A good Los Angeles rebuild with fire-resistant houses January 20, 2025 2024 PC shipments increase with strong refresh cycle, Win10 ends January 15, 2025 Biden Battered Over AI Diffusion Policy January 14, 2025 The best thing about CES 2025 January 13, 2025 Meta Scrap fact-checker, eases content restrictions January 8, 2025 2025 Cyber Security Predictions Influenced by AI January 7, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.