kenmuse/UpdateAzureAppServiceAccess.ps

## UpdateAzureAppServiceAccess.ps
# Fill in the name of the app service and the resource group containing the service
$appServiceName = ''
$resourceGroupName = ''

###################

# Current API version for calls.
$apiVersion = '2019-08-01'

# Starting priority number
$priority = 1000;

# Gather the addresses
$addresses = (Get-AzNetworkServiceTag -Location eastus2).
  Values.
  Where({$_.Name -eq 'AzureFrontDoor.Backend'}).
  Properties.
  AddressPrefixes

# Retrieve the current web site configuration
$config = Get-AzResource -ResourceName $appServiceName -ResourceType Microsoft.Web/sites/config -ResourceGroupName $resourceGroupName -ApiVersion $apiVersion

# Filter out the automatically added rules and leave any custom rules
$rules = $config.
          Properties.
          ipSecurityRestrictions.
          Where({ -not ($_.priority -ge $priority -and $_.priority -le ($priority + 999))})

# Add the Azure Infrastructure services to the rules
$rules += New-Object PSObject -Property @{
    ipAddress = '168.63.129.16/32'
    action = "Allow"
    priority = $priority
    name = "Azure Infrastructure $priority"
    description = "Automatically added address"
  }

$priority++;

$rules += New-Object PSObject -Property @{
    ipAddress = '169.254.169.254/32'
    action = "Allow"
    priority = $priority
    name = "Azure Infrastructure $priority"
    description = "Automatically added address"
  }

$priority++;

# Add the FrontDoor.BackEnd IP addresses
foreach ($address in $addresses){
  $rules += New-Object PSObject -Property @{
    ipAddress = $address
    action = "Allow"
    priority = $priority
    name = "FrontDoor.Backend $priority"
    description = "Automatically added address"
  }

  $priority++;
}

# Update the configuration
$config.Properties.ipSecurityRestrictions= $rules

# Send the updated configuration to Azure
Set-AzResource -ResourceId $config.ResourceId -Properties $config.Properties -ApiVersion $apiVersion -Force
	# Fill in the name of the app service and the resource group containing the service
	$appServiceName = ''
	$resourceGroupName = ''

	###################

	# Current API version for calls.
	$apiVersion = '2019-08-01'

	# Starting priority number
	$priority = 1000;

	# Gather the addresses
	$addresses = (Get-AzNetworkServiceTag -Location eastus2).
	Values.
	Where({$_.Name -eq 'AzureFrontDoor.Backend'}).
	Properties.
	AddressPrefixes

	# Retrieve the current web site configuration
	$config = Get-AzResource -ResourceName $appServiceName -ResourceType Microsoft.Web/sites/config -ResourceGroupName $resourceGroupName -ApiVersion $apiVersion

	# Filter out the automatically added rules and leave any custom rules
	$rules = $config.
	Properties.
	ipSecurityRestrictions.
	Where({ -not ($_.priority -ge $priority -and $_.priority -le ($priority + 999))})

	# Add the Azure Infrastructure services to the rules
	$rules += New-Object PSObject -Property @{
	ipAddress = '168.63.129.16/32'
	action = "Allow"
	priority = $priority
	name = "Azure Infrastructure $priority"
	description = "Automatically added address"
	}

	$priority++;

	$rules += New-Object PSObject -Property @{
	ipAddress = '169.254.169.254/32'
	action = "Allow"
	priority = $priority
	name = "Azure Infrastructure $priority"
	description = "Automatically added address"
	}

	$priority++;

	# Add the FrontDoor.BackEnd IP addresses
	foreach ($address in $addresses){
	$rules += New-Object PSObject -Property @{
	ipAddress = $address
	action = "Allow"
	priority = $priority
	name = "FrontDoor.Backend $priority"
	description = "Automatically added address"
	}

	$priority++;
	}

	# Update the configuration
	$config.Properties.ipSecurityRestrictions= $rules

	# Send the updated configuration to Azure
	Set-AzResource -ResourceId $config.ResourceId -Properties $config.Properties -ApiVersion $apiVersion -Force