Endjin - Home

Restrict access to Azure Websites by whitelisting

by Mike Larah

header-restrict-access-to-azure-websites-by-whitelisting-p1-1024px

By utilising the IP and Domain Restrictions feature in IIS (available since IIS7), it possible to lock down your Azure Website to only allow access to IP addresses and domains that you have specified in a whitelist.

To allow a single IPv4 address, add the following node to your web.config:

To allow access from a domain, you must enable reverse DNS lookup:

Be aware though that enabling the reverse DNS lookup will slow down requests and use up more resources, so is not recommended for production sites.

It is also possible to use the IP security configuration to blacklist specific IP addresses/domains by setting the ‘allowed’ attribute to ‘false’. See the iis.net documentation for a full list of available options.

Another thing to note is that if you try running the website locally with any of these configurations, you may see the following error:

“This configuration section cannot be used at this path. This happens when the section is locked at a parent level”

If you only require the whitelisting when deployed, then you can get around this by adding the configuration to the web.config.release transformation file instead of the web.config. This way the configuration will not be included when running locally in debug mode, but will automatically be added to the release configuration when deploying to Azure Websites.

@MikeLarah

Sign up to Azure Weekly to receive Azure related news and articles direct to your inbox or follow on Twitter: @azureweekly

About the author

Mike is a Software Engineer at endjin with 4 years experience in solving technology problems for clients. He is a certified Microsoft Cloud Platform developer, and has experience building solutions utilising much of the Azure ecosystem.