Configure Azure App Service IP Restrictions using PowerShell

IP Restrictions is a feature I recently start using a lot. It allows me to define a list of IP addresses that are allowed or denied to access my app service. Both IPv4 and IPv6 adresses can be used.

At the moment there is no Azure CLI or PowerShell cmdlet available to set the IP Restrictions programmatically but the values can be set manually with a PUT operation on the app configuration in Resource Manager (REST request) or by using the Set-AzureRmResource cmdlet.

Until there is no Azure cmdlet available to set the IP Restriction Rule, you can use my Add-AzureIpRestrictionRule cmdlet:

function Add-AzureIpRestrictionRule
        # Name of the resource group that contains the App Service.
        [Parameter(Mandatory=$true, Position=0)]

        # Name of your Web or API App.
        [Parameter(Mandatory=$true, Position=1)]

        # rule to add.
        [Parameter(Mandatory=$true, Position=2)]

    $ApiVersions = Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web |
        Select-Object -ExpandProperty ResourceTypes |
        Where-Object ResourceTypeName -eq 'sites' |
        Select-Object -ExpandProperty ApiVersions

    $LatestApiVersion = $ApiVersions[0]

    $WebAppConfig = Get-AzureRmResource -ResourceType 'Microsoft.Web/sites/config' -ResourceName $AppServiceName -ResourceGroupName $ResourceGroupName -ApiVersion $LatestApiVersion

    $WebAppConfig.Properties.ipSecurityRestrictions =  $WebAppConfig.Properties.ipSecurityRestrictions + @($rule) |
        Group-Object name |
        ForEach-Object { $_.Group | Select-Object -Last 1 }

    Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion $LatestApiVersion -Force

Add your current IP

Usually, I want to add my current IP address to the list of allowed IPs whenever I work outside my company. I use a script where I only have to specifiy the Subscription Id, the App Service name and the Resource Group:

$SubscriptionId = '' 
$AppServiceName = ''
$ResourceGroupName = ''

I use the following piece of code to save my Azure login context so I don’t have to enter my credentials each time I use the script:

$ctxPath = Join-Path $env:APPDATA 'azure.ctx'

if (-not (Test-Path $ctxPath))
    Save-AzureRmContext -Path $ctxPath -Force
Import-AzureRmContext -Path $ctxPath | out-null
Set-AzureRmContext -SubscriptionId $SubscriptionId | Out-Null

To determine my current IP address I use

$clientIp = Invoke-WebRequest '' | Select-Object -ExpandProperty Content

Finally I add the rule using the above Add-AzureIpRestrictionRule cmdlet. For the rule name I concat my computername with my username (e. g. WD023\mbr):

$rule = [PSCustomObject]@{
    ipAddress = "$($clientIp)/32"
    action = "Allow"  
    priority = 123 
    name = '{0}_{1}' -f $env:computername, $env:USERNAME 
    description = "Automatically added ip restriction"

Add-AzureIpRestrictionRule -ResourceGroupName $ResourceGroupName -AppServiceName $AppServiceName -rule $rule

This is how the result looks like:

The whole script can be found in my GitHub repository.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s