-
Notifications
You must be signed in to change notification settings - Fork 0
Access restriction IPGroups
Access restrictions for App Service is a feature to supports scenarios where you want to limit traffic to a web app and/or scm instance to specific clients. An potential change that the team is tracking, is the ability to use Azure IP Groups to define restrictions. IP Groups will allow you to define groups of IP addresses and use them across App Service instances and other Azure services supporting IP Groups.
This feature is currently under investigation. You are welcome to send use cases and provide feedback to madsd<at>microsoft<dot>com.
When added, all addresses and address ranges defined in the IP Group will be considered for the access restriction. Updates to IP Groups will propagate to the access restrictions referencing this.
A valid use case for this would be a setup involving frontend and backend web apps, where traffic to the backend is isolated using Service endpoint and frontend traffic is locked down to Azure Front Door using Service Tags. Developers and health probe endpoints might still need to call these endpoints directly, and an IP Group to maintain these across multiple instances would remove the potential for inconsistencies across instances.
There are (at least) two possible implementations. One would be to define a new tag - IPGroup and then specify the resourceId in the existing ipAddress field.
{
"properties": {
"ipSecurityRestrictions": [
{
"action": "Allow",
"ipAddress": "/subscription/{sub}/resourceGroup/{rg}/Microsoft.Network/ipGroups/{myIpGroup}",
"priority": 200,
"tag": "IPGroup"
}
]
}
}The other option would be to specify a new field for IP Groups specifically.
{
"properties": {
"ipSecurityRestrictions": [
{
"action": "Allow",
"ipGroup": "/subscription/{sub}/resourceGroup/{rg}/Microsoft.Network/ipGroups/{myIpGroup}",
"priority": 200
}
]
}
}That's it. Happy acl'ing.