Restrict access to Azure Websites by accept-listing
By utilising the IP and Domain Restrictions feature in IIS (available since IIS7), it is possible to lock down your Azure Website to only allow access to IP addresses and domains that you have specified in an accept-list.
To allow a single IPv4 address, add the following node to your web.config:
To allow access from a domain, you must enable reverse DNS lookup:
Be aware though that enabling the reverse DNS lookup will slow down requests and use up more resources, so is not recommended for production sites.
It is also possible to use the IP security configuration to blacklist specific IP addresses/domains by setting the 'allowed' attribute to 'false'. See the iis.net documentation for a full list of available options.
Another thing to note is that if you try running the website locally with any of these configurations, you may see the following error:
"This configuration section cannot be used at this path. This happens when the section is locked at a parent level"
If you only require the whitelisting when deployed, then you can get around this by adding the configuration to the web.config.release
transformation file instead of the web.config
. This way the configuration will not be included when running locally in debug mode, but will automatically be added to the release configuration when deploying to Azure Websites.
Sign up** to Azure Weekly to receive Azure related news and articles direct to your inbox or follow on Twitter: **@azureweekly