Azure App Service - Restrict Access to Azure Front Door
# Fill in the name of the app service and the resource group containing the service | |
$appServiceName = '' | |
$resourceGroupName = '' | |
################### | |
# Current API version for calls. | |
$apiVersion = '2019-08-01' | |
# Starting priority number | |
$priority = 1000; | |
# Gather the addresses | |
$addresses = (Get-AzNetworkServiceTag -Location eastus2). | |
Values. | |
Where({$_.Name -eq 'AzureFrontDoor.Backend'}). | |
Properties. | |
AddressPrefixes | |
# Retrieve the current web site configuration | |
$config = Get-AzResource -ResourceName $appServiceName -ResourceType Microsoft.Web/sites/config -ResourceGroupName $resourceGroupName -ApiVersion $apiVersion | |
# Filter out the automatically added rules and leave any custom rules | |
$rules = $config. | |
Properties. | |
ipSecurityRestrictions. | |
Where({ -not ($_.priority -ge $priority -and $_.priority -le ($priority + 999))}) | |
# Add the Azure Infrastructure services to the rules | |
$rules += New-Object PSObject -Property @{ | |
ipAddress = '168.63.129.16/32' | |
action = "Allow" | |
priority = $priority | |
name = "Azure Infrastructure $priority" | |
description = "Automatically added address" | |
} | |
$priority++; | |
$rules += New-Object PSObject -Property @{ | |
ipAddress = '169.254.169.254/32' | |
action = "Allow" | |
priority = $priority | |
name = "Azure Infrastructure $priority" | |
description = "Automatically added address" | |
} | |
$priority++; | |
# Add the FrontDoor.BackEnd IP addresses | |
foreach ($address in $addresses){ | |
$rules += New-Object PSObject -Property @{ | |
ipAddress = $address | |
action = "Allow" | |
priority = $priority | |
name = "FrontDoor.Backend $priority" | |
description = "Automatically added address" | |
} | |
$priority++; | |
} | |
# Update the configuration | |
$config.Properties.ipSecurityRestrictions= $rules | |
# Send the updated configuration to Azure | |
Set-AzResource -ResourceId $config.ResourceId -Properties $config.Properties -ApiVersion $apiVersion -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment