Configure Azure App Service IP Restrictions using PowerShell

IP Restrictions is a feature I recently start using a lot. It allows me to define a list of IP addresses that are allowed or denied to access my app service. Both IPv4 and IPv6 adresses can be used.

At the moment there is no Azure CLI or PowerShell cmdlet available to set the IP Restrictions programmatically but the values can be set manually with a PUT operation on the app configuration in Resource Manager (REST request) or by using the Set-AzureRmResource cmdlet.

Until there is no Azure cmdlet available to set the IP Restriction Rule, you can use my Add-AzureIpRestrictionRule cmdlet:

function Add-AzureIpRestrictionRule
{
    [CmdletBinding()]
    Param
    (
        # Name of the resource group that contains the App Service.
        [Parameter(Mandatory=$true, Position=0)]
        $ResourceGroupName, 

        # Name of your Web or API App.
        [Parameter(Mandatory=$true, Position=1)]
        $AppServiceName, 

        # rule to add.
        [Parameter(Mandatory=$true, Position=2)]
        [PSCustomObject]$rule
    )

    $ApiVersions = Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web |
        Select-Object -ExpandProperty ResourceTypes |
        Where-Object ResourceTypeName -eq 'sites' |
        Select-Object -ExpandProperty ApiVersions

    $LatestApiVersion = $ApiVersions[0]

    $WebAppConfig = Get-AzureRmResource -ResourceType 'Microsoft.Web/sites/config' -ResourceName $AppServiceName -ResourceGroupName $ResourceGroupName -ApiVersion $LatestApiVersion

    $WebAppConfig.Properties.ipSecurityRestrictions =  $WebAppConfig.Properties.ipSecurityRestrictions + @($rule) |
        Group-Object name |
        ForEach-Object { $_.Group | Select-Object -Last 1 }

    Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion $LatestApiVersion -Force
}

Add your current IP

Usually, I want to add my current IP address to the list of allowed IPs whenever I work outside my company. I use a script where I only have to specifiy the Subscription Id, the App Service name and the Resource Group:

$SubscriptionId = '' 
$AppServiceName = ''
$ResourceGroupName = ''

I use the following piece of code to save my Azure login context so I don’t have to enter my credentials each time I use the script:

$ctxPath = Join-Path $env:APPDATA 'azure.ctx'

if (-not (Test-Path $ctxPath))
{
    Login-AzureRmAccount
    Save-AzureRmContext -Path $ctxPath -Force
}
 
Import-AzureRmContext -Path $ctxPath | out-null
Set-AzureRmContext -SubscriptionId $SubscriptionId | Out-Null

To determine my current IP address I use api.ipify.org:

$clientIp = Invoke-WebRequest 'https://api.ipify.org' | Select-Object -ExpandProperty Content

Finally I add the rule using the above Add-AzureIpRestrictionRule cmdlet. For the rule name I concat my computername with my username (e. g. WD023\mbr):

$rule = [PSCustomObject]@{
    ipAddress = "$($clientIp)/32"
    action = "Allow"  
    priority = 123 
    name = '{0}_{1}' -f $env:computername, $env:USERNAME 
    description = "Automatically added ip restriction"
}

Add-AzureIpRestrictionRule -ResourceGroupName $ResourceGroupName -AppServiceName $AppServiceName -rule $rule

This is how the result looks like:
ipresult

The whole script can be found in my GitHub repository.

Azure App Services: Determine supported dotnet core version

If you try to use the latest .NET Core version 2.1.3 within your Azure Web or API App, you will receive the error code 502.5.

After you enabled logging you will find an error similar to this:

It was not possible to find any compatible framework version
The specified framework 'Microsoft.AspNetCore.App', version '2.1.3' was not found.
  - Check application dependencies and target a framework version installed at:
      D:\Program Files (x86)\dotnet\
  - Installing .NET Core prerequisites might help resolve this problem:
      http://go.microsoft.com/fwlink/?LinkID=798306&clcid=0x409
  - The .NET Core framework and SDK can be installed from:
      https://aka.ms/dotnet-download
  - The following versions are installed:
      2.1.0-rc1-final at [D:\Program Files (x86)\dotnet\shared\Microsoft.AspNetCore.App]
      2.1.2 at [D:\Program Files (x86)\dotnet\shared\Microsoft.AspNetCore.App]

So one way to determine the installed dotnet core versions is to look at the error log. But you can also execute the following command within the Debug Console on the Kudu Engine (Advanced Tools in the Azure Portal):

dotnet --list-sdks

This will displays the installed .NET Core runtimes:

dotnet-list-sdks

Automatically pick the latest dotnet core version

You can simply avoid running into this error by omitting the Version attribute on the Microsoft.ApsNetCore.App PackageReference within your Project file (*.csproj):

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <Folder Include="wwwroot\" />
  </ItemGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.App"/>
  </ItemGroup>
</Project>

Now, as soon as the Azure App Services gets the new 2.1.x dotnet core sdk, your app will automatically start using it.