Skip to content

Instantly share code, notes, and snippets.

@Swimburger
Last active August 3, 2023 15:27
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save Swimburger/b2d58bff38156b73a5417b7f818fc5be to your computer and use it in GitHub Desktop.
Save Swimburger/b2d58bff38156b73a5417b7f818fc5be to your computer and use it in GitHub Desktop.
PowerShell scripts to bulk add IP ranges to Restricted Access feature of Azure App Service, learn more at https://swimburger.net/blog/azure/bulk-add-application-insights-availability-test-ips-to-azure-app-service-access-restrictions-using-az-powershell
Param(
[Parameter(Mandatory = $true)]
[string] $ResourceGroupName,
[Parameter(Mandatory = $true)]
[string] $AppServiceName,
[Parameter(Mandatory = $true)]
[string] $SubscriptionId,
[Parameter(Mandatory = $true)]
[string] $RulePriority
)
$ErrorActionPreference = "Stop"
$AvailabilityTestIpsFile = Get-Content "$PSScriptRoot/AvailabilityTestIps.txt"
$AvailabilityTestIpsLines = $AvailabilityTestIpsFile -split '\r?\n|\r'
$IsHeader = $True
$CurrentGroup = $Null;
$NewIpRestrictions = @();
ForEach($Line in $AvailabilityTestIpsLines){
if($IsHeader){
$CurrentGroup = $Line;
$IsHeader = $False
continue
}
if([System.String]::IsNullOrEmpty($Line)){
$IsHeader = $True #next line will be header
continue
}
$Ip = $Null
if($Line.Contains("/")){
$Ip = $Line;
}else{
$Ip = "$Line/32";
}
$NewIpRestrictions += @{
ipAddress = $Ip;
action = "Allow";
priority = $RulePriority;
name = "Av IP $CurrentGroup";
description = "Availability Test IP $CurrentGroup";
tag = "Default";
}
}
& "$PSScriptRoot\AddRestrictedIPAzureAppService.ps1" -ResourceGroupName $ResourceGroupName -AppServiceName $AppServiceName -SubscriptionId $SubscriptionId -NewIpRules $NewIpRestrictions
Param(
[Parameter(Mandatory = $true)]
[string] $ResourceGroupName,
[Parameter(Mandatory = $true)]
[string] $AppServiceName,
[Parameter(Mandatory = $true)]
[string] $SubscriptionId,
[Parameter(Mandatory = $true)]
[string] $RulePriority
)
$ErrorActionPreference = "Stop"
$IPv4s = (Invoke-WebRequest -Uri "https://www.cloudflare.com/ips-v4").Content -split '\r?\n|\r';
$IPv6s = (Invoke-WebRequest -Uri "https://www.cloudflare.com/ips-v6").Content -split '\r?\n|\r';
$NewIpRestrictions = @();
foreach($IPv4 in $IPv4s){
$NewIpRestrictions += @{
ipAddress = $IPv4;
action = "Allow";
priority = $RulePriority;
name = "Cloudflare IPv4";
description = "Cloudflare IPv4";
tag = "Default";
}
}
foreach($IPv6 in $IPv6s){
$NewIpRestrictions += @{
ipAddress = $IPv6;
action = "Allow";
priority = $RulePriority;
name = "Cloudflare IPv6";
description = "Cloudflare IPv6";
tag = "Default";
}
}
& "$PSScriptRoot\AddRestrictedIPAzureAppService.ps1" -ResourceGroupName $ResourceGroupName -AppServiceName $AppServiceName -SubscriptionId $SubscriptionId -NewIpRules $NewIpRestrictions
Param(
[Parameter(Mandatory = $true)]
[string] $ResourceGroupName,
[Parameter(Mandatory = $true)]
[string] $AppServiceName,
[Parameter(Mandatory = $true)]
[string] $SubscriptionId,
[Parameter(Mandatory = $true)]
[Hashtable[]] $NewIpRules
)
$ErrorActionPreference = "Stop"
Import-Module Az
if($Null -eq (Get-AzContext)){
Login-AzAccount
}
Select-AzSubscription -SubscriptionId $SubscriptionId
$APIVersion = ((Get-AzResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
$WebAppConfig = Get-AzResource -ResourceName $AppServiceName -ResourceType Microsoft.Web/sites/config -ResourceGroupName $ResourceGroupName -ApiVersion $APIVersion
foreach ($NewIpRule in $NewIpRules) {
$WebAppConfig.Properties.ipSecurityRestrictions += $NewIpRule
}
Set-AzResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion $APIVersion
Australia East
20.40.124.176/28
20.40.124.240/28
20.40.125.80/28
Brazil South
191.233.26.176/28
191.233.26.128/28
191.233.26.64/28
France Central - South
20.40.129.96/28
20.40.129.112/28
20.40.129.128/28
20.40.129.144/28
France Central
20.40.129.32/28
20.40.129.48/28
20.40.129.64/28
20.40.129.80/28
East Asia
52.229.216.48/28
52.229.216.64/28
52.229.216.80/28
North Europe
52.158.28.64/28
52.158.28.80/28
52.158.28.96/28
52.158.28.112/28
Japan East
52.140.232.160/28
52.140.232.176/28
52.140.232.192/28
West Europe
51.144.56.96/28
51.144.56.112/28
51.144.56.128/28
51.144.56.144/28
51.144.56.160/28
51.144.56.176/28
UK South
51.105.9.128/28
51.105.9.144/28
51.105.9.160/28
UK West
20.40.104.96/28
20.40.104.112/28
20.40.104.128/28
20.40.104.144/28
Southeast Asia
52.139.250.96/28
52.139.250.112/28
52.139.250.128/28
52.139.250.144/28
West US
40.91.82.48/28
40.91.82.64/28
40.91.82.80/28
40.91.82.96/28
40.91.82.112/28
40.91.82.128/28
Central US
13.86.97.224/28
13.86.97.240/28
13.86.98.48/28
13.86.98.0/28
13.86.98.16/28
13.86.98.64/28
North Central US
23.100.224.16/28
23.100.224.32/28
23.100.224.48/28
23.100.224.64/28
23.100.224.80/28
23.100.224.96/28
23.100.224.112/28
23.100.225.0/28
South Central US
20.45.5.160/28
20.45.5.176/28
20.45.5.192/28
20.45.5.208/28
20.45.5.224/28
20.45.5.240/28
East US
20.42.35.32/28
20.42.35.64/28
20.42.35.80/28
20.42.35.96/28
20.42.35.112/28
20.42.35.128/28
@madshaun1984
Copy link

madshaun1984 commented Jul 30, 2021

Line 11 of "AvailabilityTestIps.txt" breaks naming rules.

Renaming this group to "France Central - South" works.

Once this was resolved this script saved me from at least an hour manually adding these IP's to Web App 2 instances! Cheers

@Swimburger
Copy link
Author

Are the parentheses illegal characters or something, is that why you had to rename it?

@madshaun1984
Copy link

Apologies, I meant to state that!

It exceeds the 32 character name limit.

@Swimburger
Copy link
Author

Thank you for letting me know. Glad it was helpful.
I updated the name in the gist, but if folks get it from the source (Azure Docs), it'll still have the 30+ character name, so follow @madshaun1984 's advice 👍

@Marko-TRG
Copy link

Great scripts, thank you! I am just getting this error with the AddCloudflareRestrictedIPApp one, something to do with the newlines perhaps?

{"Code":"BadRequest","Message":"IpSecurityRestriction.IpAddress is invalid.
| '173.245.48.0/20\n103.21.244.0/22\n103.22.200.0/22\n103.31.4.0/22\n141.101.64.0/18\n108.162.192.0/18\n190.93.240.0/20\n188.114.96.0/20\n197.234.240.0/22\n198.41.128.0/17\n162.158.0.0/15\n104.16.0.0/13\n104.24.0.0/14\n172.64.0.0/13\n131.0.72.0/22' is an invalid CIDR!","Target":null,"Details":[{"Message":"IpSecurityRestriction.IpAddress is invalid. '173.245.48.0/20\n103.21.244.0/22\n103.22.200.0/22\n103.31.4.0/22\n141.101.64.0/18\n108.162.192.0/18\n190.93.240.0/20\n188.114.96.0/20\n197.234.240.0/22\n198.41.128.0/17\n162.158.0.0/15\n104.16.0.0/13\n104.24.0.0/14\n172.64.0.0/13\n131.0.72.0/22' is an invalid CIDR!"},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51021","MessageTemplate":"{0} is invalid. {1}","Parameters":["IpSecurityRestriction.IpAddress","'173.245.48.0/20\n103.21.244.0/22\n103.22.200.0/22\n103.31.4.0/22\n141.101.64.0/18\n108.162.192.0/18\n190.93.240.0/20\n188.114.96.0/20\n197.234.240.0/22\n198.41.128.0/17\n162.158.0.0/15\n104.16.0.0/13\n104.24.0.0/14\n172.64.0.0/13\n131.0.72.0/22' is an invalid CIDR!"],"Code":"BadRequest","Message":"IpSecurityRestriction.IpAddress is invalid. '173.245.48.0/20\n103.21.244.0/22\n103.22.200.0/22\n103.31.4.0/22\n141.101.64.0/18\n108.162.192.0/18\n190.93.240.0/20\n188.114.96.0/20\n197.234.240.0/22\n198.41.128.0/17\n162.158.0.0/15\n104.16.0.0/13\n104.24.0.0/14\n172.64.0.0/13\n131.0.72.0/22' is an invalid CIDR!"}}],"Innererror":null}

@Swimburger
Copy link
Author

@Marko-TRG , the script uses the newline character to split the CIDR's.

$IPv4s = (Invoke-WebRequest -Uri "https://www.cloudflare.com/ips-v4").Content.TrimEnd([Environment]::NewLine).Split([Environment]::NewLine);

I'm not having this issue when I run it.

What OS do you use? What version of PowerShell?

@Marko-TRG
Copy link

Ah, PS version was the issue. I was using 7.2.5 on Win11. I ran it on the same computer using PowerShell 5.1 and it worked perfectly! Thank you! 🧠

@Swimburger
Copy link
Author

@Marko-TRG, strange. It worked for me on 7.2.5 on macOS.

@Marko-TRG
Copy link

@Swimburger yes, strange. I tried with 7.2.5 in a Debian 10 shell on the same machine and it works. I guess then just my PowerShell installation is b0rked. Sorry to waste your time.

@Swimburger
Copy link
Author

@Marko-TRG It's all good, no waste of time! Glad it's working for you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment