This article is divided into three parts,
- Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal - We learned how to restrict access to the Azure App Service manually using the Azure Portal.
- Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell - We learned how to leverage PowerShell scripting to dynamically do bulk insertion of IP Addresses for configuring access restrictions for the Azure App Service.
- Azure DevOps – Automate Bulk IP Address Restriction of Azure App Service dynamically using PowerShell & Azure DevOps Pipeline - We will learn how to automate the process of Access Restriction every time there is a change in the list of IP addresses using Azure DevOps Pipelines.
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Methods
Prerequisites
- Azure Subscription
- Azure App Service
- PowerShell Core
- Azure PowerShell
- Visual Studio Code
Introduction
In the Add Access Restriction blade, you can provide the following values to create a new Allow/Deny rule.
| Parameter |
Description |
| Name |
The name of the rule. |
| Action |
Allow – selecting this option will let the user access the App Service from the given IP Address (in the IP Address Block) Deny – selecting this option will NOT let the user access the App Service from the given IP Address (in the IP Address Block) |
| Priority |
The priority is given to this rule. |
| Type |
Select IPV4 (more on this below) |
| IP Address Block |
Provide the IP Address Range. If you would like to mention only one IP Address then provide something in this format 1.1.1.1/32 |
When we did that, the rules are created and stored inside the ipSecurityRestrictions array of the Azure App Service Properties. We can review those Properties using the resources.azure.com website as shown below,
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Resources
If you would like to add multiple IP Addresses in a single shot, then it is preferable to add those multiple IP Addresses to this array.
In this article, we are going to get the reference of these config properties, modify the ipSecurityRestrictions array and update the App Service Properties.
Below is the logic that we are going to implement in this article using PowerShell.
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Flow Chart
Let’s create a new file that contains all the IP Addresses that we would like to Allow / Block. I have created a File named IPAddress.txt. It’s a Comma Separated file as shown below,
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – IPAddresses File
Create a new PowerShell File named ReadIPAddress.ps1 using Visual Studio Code using the below code,
- Param(
- [Parameter(Mandatory = $true)]
- [string] $ResourceGroupName,
- [Parameter(Mandatory = $true)]
- [string] $WebAppName,
- [Parameter(Mandatory = $true)]
- [string] $IPAddressSourceFileName)
- #Step1 - Get All IP Addresses from the File
- $SourceIPAddresses = (Get - Content$IPAddressSourceFileName).Trim() | ConvertFrom - Csv
- #Step2 - Get All existing IP Addresses from the Config of App Service
- $APIVersion = ((Get - AzResourceProvider - ProviderNamespaceMicrosoft.Web).ResourceTypes | Where - ObjectResourceTypeName - eqsites).ApiVersions[0]
- $config = (Get - AzResource - ResourceTypeMicrosoft.Web / sites / config - Name$WebAppName - ResourceGroupName$ResourceGroupName - ApiVersion$APIVersion)
- #Step3 - Prepare the new IP Addresses list from that IPAddressList file and collect all the new ones into the $IpSecurityRestrictions collection
- foreach($itemin$SourceIPAddresses) {
- $Rule = $config.Properties.ipSecurityRestrictions | Where - Object {
- $_.ipAddress - eq$item.IPAddress
- }
- if ($null - ne$Rule) {
- Write - Host - ForegroundColorGreen 'No Action on the IP:'
- $item.ipAddress
- } else {
- $config.Properties.ipSecurityRestrictions += $item
- }
- }
- #Step4 - Finally update the new IP Addresses to Azure App Service
- Set - AzResource - ResourceId$config.ResourceId - Properties$config.Properties - ApiVersion$APIVersion - Force
In order to run the above command from Visual Studio Code, navigate to the Terminate and run the below command,
- .\ReadIPAddresses.ps1 azdevops-rg-eus-dev azuredevops-wapp1-eus-dev IPAddresses.txt
Once you run the above command, you would see the output as shown below,
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Output
Finally, all the IP Addresses will be added to the Access Restrictions blade as shown below,
Azure DevOps – Bulk IP Address Restriction of Azure App Service dynamically using PowerShell – Final Access Restrictions
That’s it. We have learned how to add the rules using PowerShell from your local machine. In the next article, we will learn how to automatically run this using Azure DevOps pipelines.