Home NewsX Enable IP restriction for a public facing App service

Enable IP restriction for a public facing App service

by info.odysseyx@gmail.com
0 comment 14 views



This blog article covers how to control app service deployments to only support public app services with IP restrictions enabled.

memo: Policies should allow the end-user experience to be the same regardless of whether you deploy the app service using the Azure portal, ARM templates, or Terraform.

policy definition

memo: The policy below applies only to the Microsoft.Web/sites resource type.

{

“mode”: “all”,

“Policy Rules”: {

“if”: {

“every”: [

          {

            “field”: “Microsoft.Web/sites/publicNetworkAccess”,

            “equals”: “Enabled”

          },

          {

            “anyOf”: [

              {

                “allOf”: [

                  {

                    “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictionsDefaultAction”,

                    “notEquals”: “Deny”

                  }

                ]

},

{

“every”: [

                  {

                    “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictionsDefaultAction”,

                    “equals”: “Deny”

                  },

                  {

                    “not”: {

                      “count”: {

                        “field”: “Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*]”,

“where”: {

“count”: {

“value”: “[if(equals(parameters(‘environment’), ‘prod’), parameters(‘allowedIPAddressesProd’), parameters(‘allowedIPAddressesDev’))]”,

“name”: “allowedIpAddress”,

“where”: {

“every”: [

                                {

                                  “value”: “[if(equals(current(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].ipAddress’), ‘Any’), ‘true’, ipRangeContains(current(‘allowedIpAddress’), current(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions)[*].ip address’)))]”,

“equal”: true

}

]

}

},

“Bigger”: 0

}

},

“equals”: “[length(field(‘Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*]’))]”

}

}

]

}

]

}

]

},

“then”: {

“effect”: “[parameters(‘effect’)]”

}

},

“parameters”: {

“effect”: {

“type”: “string”,

“metadata”: {

“displayName”: “effect”,

“description”: “Enables or disables policy enforcement.”

},

“Allowed values”: [

          “Audit”,

          “Deny”,

          “Disabled”

        ],

“defaultValue”: “Thanks”

},

“environment”: {

“type”: “string”,

“metadata”: {

“displayName”: “Environment”,

“description”: “Select the environment you want to apply the correct IP restrictions to.”

},

“Allowed values”: [

          “dev”,

          “prod”

        ],

“defaultValue”: “prod”

},

“allowedIPAddressesDev”: {

“type”: “array”,

“metadata”: {

“displayName”: “IP addresses allowed for developers”,

“description”: “An array containing the public IP addresses allowed for your development environment.”

},

“Default”: [

          “203.0.113.0/24”

        ]

},

“allowedIPAddressesProd”: {

“type”: “array”,

“metadata”: {

“displayName”: “IP addresses allowed for production”,

“description”: “An array containing the public IP addresses allowed in the Prod environment.”

},

“Default”: [

          “198.51.100.0/24”,

          “203.0.113.5/32”

        ]

}

}

}

Description of Policy

The above policy does not allow the creation of public app services unless public access is “disabled” or the following conditions are met:

  1. Enabled on selected network
  2. The default action should be rejected.
  3. Depending on your environment, only trusted IPs are allowed. That is, the above policy uses 198.51.100.0/25 and 203.0.113.5/32 as examples.

    memo: You can add more trusted IPs. The IP above is just an example.

KrishnaM2265_0-1729591784255.png

Deploy using the Azure portal

When you try to deploy an app service using the Azure portal, the Networking tab shows only two options: Enable public access or Disable public access.

KrishnaM2265_1-1729591784265.png

Keeping Enable Public Access “ON” will block app service creation with the following error:

KrishnaM2265_2-1729591784341.png

Now that we know that the portal only supports enabling or disabling public access for app services, we need to create another policy that changes the settings from disable public access to enable public access with IP restrictions. After deploying the app service through the Azure portal, find below the policy that performs the deployment.

policy definition

The policy below identifies resources such as Microsoft.Web/sites and modifies the networking settings of the app service if it is determined that public access is disabled for the app service. You cannot create an app service with a firewall through the Azure portal; you must change it manually.

memo: The policy below automatically enables IP restrictions for newly created app services using the Azure portal with public access to app services disabled.

{

“mode”: “all”,

“Policy Rules”: {

“if”: {

“every”: [

          {

            “field”: “type”,

            “equals”: “Microsoft.Web/sites”

          },

          {

            “anyOf”: [

              {

                “field”: “Microsoft.Web/sites/publicNetworkAccess”,

                “exists”: “false”

              },

              {

                “field”: “Microsoft.Web/sites/publicNetworkAccess”,

                “equals”: “Disabled”

              }

            ]

}

]

},

“then”: {

“effect”: “[parameters(‘effect’)]”,

“details”: {

“type”: “Microsoft.Web/sites/config”,

“evaluationDelay”: “AfterProvisioningSuccess”,

“conditions for existence”: {

“field”: “Microsoft.Web/sites/config/minTlsVersion”,

“equals”: “1.1”

},

“name”: “Web”,

“roleDefinitionId”: [

            “/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772”,

            “/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c”

          ],

“distribution”: {

“property”: {

“mode”: “incremental”,

“parameters”: {

“site name”: {

“value”: “[field(‘name’)]”

},

“ip address”: {

“value”: “[parameters(‘ipAddresses’)]”

}

},

“template”: {

“$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#“,

“contentVersion”: “1.0.0.0”,

“parameters”: {

“site name”: {

“type”: “string”

},

“ip address”: {

“type”: “array”

}

},

“resources”: [

                  {

                    “type”: “Microsoft.Web/sites/config”,

                    “apiVersion”: “2021-02-01”,

                    “name”: “[concat(parameters(‘siteName’), ‘/web’)]”,

“property”: {

“publicNetworkAccess”: “enabled”,

“ipSecurityRestrictionsDefaultAction”: “Deny”,

“copy”: [

                        {

                          “name”: “ipSecurityRestrictions”,

                          “count”: “[length(parameters(‘ipAddresses’))]”,

“input”: {

“IP address”: “[parameters(‘ipAddresses’)[copyIndex(‘ipSecurityRestrictions’)]]”,

“action”: “Allow”,

“Priorities”: “[add(100, copyIndex(‘ipSecurityRestrictions’))]”,

“name”: “[concat(‘ipRestriction_’, copyIndex(‘ipSecurityRestrictions’))]”

}

}

]

}

}

],

“output”: {}

}

}

}

}

}

},

“parameters”: {

“effect”: {

“type”: “string”,

“metadata”: {

“displayName”: “effect”,

“description”: “Enables or disables policy enforcement”

},

“Allowed values”: [

          “DeployIfNotExists”,

          “Disabled”

        ],

“defaultValue”: “DeployIfNotExists”

},

“ip address”: {

“type”: “array”,

“metadata”: {

“displayName”: “ip address”,

“description”: “A list of IP addresses that allow access to the web app.”

},

“Default”: [

          “198.51.100.0/24”

        ]

}

}

}

Deployment using ARM templates

Deploy another app service with IP restrictions by exporting the ARM template of an existing app service and modifying the necessary parameters. However, that policy does not allow app service creation and is blocked with the same error message.

If we look closely at the policy rules of the IP Restriction Policy, we are looking at the Microsoft.Web/sites/siteconfig field.

KrishnaM2265_3-1729591784350.png

However, the exported ARM template is using the fields below.

KrishnaM2265_4-1729591784364.png

I tried defining all these siteconfig attributes in Microsoft.Web/sites similar to what Azure policies support, and I tried deploying an ARM template and completely removed those resources from the ARM template.

KrishnaM2265_5-1729591784379.png

KrishnaM2265_6-1729591784393.png

Deployment using Terraform

Once the IP restrictions policy is in effect, try deploying an app service with IP restrictions enabled using the azurerm provider below.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app — Linux Feature App

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app —Windows Features App

You need to use the above module to deploy an app service with the below properties set for the app service. Otherwise it should be supported.

KrishnaM2265_7-1729591784396.png

KrishnaM2265_8-1729591784400.png

KrishnaM2265_9-1729591784402.png

disclaimer

  • Please note that the products and options featured in this article are subject to change. This document reflects custom policies for enabling IP restrictions for app services in October 2024.
  • If the user has the necessary permissions, they can create an exemption for that resource, which will make this policy ineffective for that resource.
  • To avoid unintended disruptions and ensure that it meets your requirements, we recommend that you test this policy in a non-production environment before applying it to your production environment.

References

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#…

Create policies programmatically – Azure Policy | microsoft run

Troubleshoot common errors – Azure Policy | microsoft run

Azure Policy overview – Azure Policy | microsoft run





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX