Avoiding IP Blacklisting with Azure Web Sites

Posted on 29 July, 2014

Sr. Escalation Engineer, US - CTS STB Developer Tools
In a multi-tenant environment where customers share a number of IP addresses, it’s not uncommon to have malicious content on a site or two. In some case they may be result of compromise and in other cases this may be intentional. Either way, this can lead to one or more shared IP addresses getting added to the lists of the various black list services that exist on the web. Once a shared IP is blacklisted, this would typically affect innocent sites as well. When such a thing happens, the instinctive reaction by most customers is to contact their hosting company and file a request to unblock the site by removing the IP from the blacklist. However, this is just a stop-gap measure as the malicious site would eventually (and usually, quite rapidly) lead to the IP getting blacklisted again.

Protecting Your Site

Since you do not have control over other sites on Azure, and you would typically be unable to even know which site it is that led to the blacklisting. The only reliable way to resolve this and protect your site from a recurrence is to configure your site with a dedicated IP. This means that the site will be using its own IP, which would not be shared with other sites. In Azure, you can easily get a dedicated IP by configuring IP SSL. This option is available only to the sites in the Standard tier, but if you're using a custom Domain on your site, there are some extra considerations. If you are using a custom domain and have a CNAME record pointing from it to the site’s name in Azure (for example, contoso.azurewebsites.net), then it’s rather simple – just change the record with your DNS provider and then configure IP-SSL. If, on the other hand, you are using an A-record to resolve the host name to an IP, then we recommend following these steps:
  1. Change your hostname mapping (i.e. www.contoso.com) from an A record to a CNAME pointing to your Microsoft Azure Web Site (i.e. contoso.azurewebsites.net).  This should have no downtime as it will be pointing to the same IP. Wait some time for DNS replication to take place.
  2. Upload a certificate for www.contoso.com to your website. This can be accomplished under Domain names in the Configure tab. Usually, you would have to purchase the Certificate from a Certificate provider, but if you don’t intend to actually use SSL, you can use a self-signed certificate which is easy to generate and won’t cost you a dime. See the section Self-signed certificates (Optional) in our guide for SSL.
  3. Configure an IP Based SSL binding for www.contoso.com. This option is available under SSL Binding in the Configure tab. See the section Configure SSL in our guide for SSL.

Reporting the Issue

Once you’ve moved your site to a dedicated IP, reporting the issue to Microsoft can help resolve the root-cause and help other customers. To do so, go to Cert.Microsoft.com and provide the details. The Microsoft security team will review and take the appropriate actions based on their findings. For more information on security, please visit the Microsoft Azure Trust Center.