Configuring an Azure Web Sites (WAWS) for IP and Domain Restrictions has been one of our most requested asks, and it is now finally available. IP and Domain restrictions provide an additional security option that can also be used in combination with the recently enabled dynamic IP address restriction (DIPR) feature
Developers can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to their websites. With Windows Azure Web Sites developers can enable/disable the feature, as well as customize its behavior, using web.config
files located in their website.
There is an overview of the IP and Domain Restrictions feature from IIS available on the IIS.Net website
. A full description of individual configuration elements and attributes is available on TechNet
The example configuration snippet below shows an ipSecurity
configuration that only allows access to addresses originating from the range specified by the combination of the ipAddress
attributes. Setting allowUnlisted
means that only those individual addresses, or address ranges, explicitly specified by a developer will be allowed to make HTTP requests to the website. Setting the allowed
attribute to true
in the child add
element indicates that the address and subnet together define an address range that is allowed to access the website.
If a request is made to a website from an address outside of the allowed IP address range, then an HTTP 404 not found error
is returned as defined in the denyAction
One final note, just like the companion DIPR feature, Windows Azure Web Sites ensures that the client IP addresses “seen” by the IP and Domain Restrictions module are the actual IP addresses of Internet clients making HTTP requests.