by Henri Hietala | Azure, Security in , ,

Apply IP restrictions for Azure Cloud Service

Since Azure SDK 2.4 there’s been a possibility to configure IP restrictions for Azure Cloud Services with Access Control List (ACL).

Just add the following to your ServiceConfiguration.Cloud.cscfg.

ServiceConfiguration.Cloud.cscfg

<?xml version="1.0" encoding="utf-8"?>  
<ServiceConfiguration serviceName="MyWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-06.2.4">  
  <Role name="MyWebRole">
    ...
  </Role>
  <NetworkConfiguration>
    <AccessControls>
      <AccessControl name="ipRestrictions">
        <Rule action="permit" description="allowed-edu" order="100" remoteSubnet="137.116.133.111/32" />
        <Rule action="permit" description="allowed-test" order="101" remoteSubnet="168.61.66.2/32" />
        <Rule action="permit" description="allowed-prod" order="102" remoteSubnet="168.61.66.131/32" />
        <Rule action="deny" description="Others" order="800" remoteSubnet="0.0.0.0/0" />
      </AccessControl>
    </AccessControls>
    <EndpointAcls>
      <EndpointAcl role="MyWebRole" endPoint="Endpoint1" accessControl="ipRestrictions" />
      <EndpointAcl role="MyWebRole" endPoint="HttpsIn" accessControl="ipRestrictions" />
    </EndpointAcls>
  </NetworkConfiguration>
</ServiceConfiguration>

Be careful with rule attributes. Your deployment will fail if you have specified the same order number or description twice or the IP address in remoteSubnet is incorrect.

 

One thought on “Apply IP restrictions for Azure Cloud Service

Leave a Reply

Your email address will not be published. Required fields are marked *