az webapp config access-restriction
Methods that show, set, add, and remove access restrictions on a webapp.
Commands
Name | Description | Type | Status |
---|---|---|---|
az webapp config access-restriction add |
Adds an Access Restriction to the webapp. |
Core | GA |
az webapp config access-restriction remove |
Removes an Access Restriction from the webapp. |
Core | GA |
az webapp config access-restriction set |
Sets if SCM site is using the same restrictions as the main site and default actions. |
Core | GA |
az webapp config access-restriction show |
Show Access Restriction settings for webapp. |
Core | GA |
az webapp config access-restriction add
Adds an Access Restriction to the webapp.
az webapp config access-restriction add --priority
[--action {Allow, Deny}]
[--description]
[--http-headers]
[--ids]
[--ignore-missing-endpoint {false, true}]
[--ip-address]
[--name]
[--resource-group]
[--rule-name]
[--scm-site {false, true}]
[--service-tag]
[--skip-service-tag-validation {false, true}]
[--slot]
[--subnet]
[--subscription]
[--vnet-name]
[--vnet-resource-group]
Examples
Add Access Restriction opening (Allow) named developers for IPv4 address 130.220.0.0/27 with priority 200 to main site.
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name developers --action Allow --ip-address 130.220.0.0/27 --priority 200
Add Access Restriction opening (Allow) named build_server for IPv4 address 192.168.0.0/27 with priority 250 to scm site.
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name build_server --action Allow --ip-address 192.168.0.0/27 --priority 250 --scm-site true
Add Access Restriction opening (Allow) named app_gateway for Subnet app_gw in vNet core_weu with priority 300 to main site.
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name app_gateway --action Allow --vnet-name core_weu --subnet app_gateway --priority 300
Add Access Restriction opening (Allow) named internal_agents for Subnet build_agents in vNet corp01 with priority 500 to scm site; and ignore service endpoint registration on the Subnet.
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name internal_agents --action Allow --vnet-name corp01 --subnet build_agents --priority 500 --scm-site true --ignore-missing-endpoint true
Add Access Restriction opening (Allow) named remote_agents in vNet 'corp01' in rg 'vnets' with subnet 'agents'
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --vnet-name corp01 --subnet agents --priority 500 --vnet-resource-group vnets
Add Access Restriction opening (Allow) named agents in vNet 'corp01' in rg 'vnets' with subnet 'agents' (using subnet resource id)
az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --priority 800 --subnet '/subscriptions/<subscription-id>/resourceGroups/vnets/providers/Microsoft.Network/virtualNetworks/corp01/subnets/agents'
Add Access Restriction opening (Allow) with no rule name for service tag AzureCloud
az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureCloud
Add Access Restriction opening (Allow) with no rule name for service tag AzureFrontDoor.Backend and http-header X-Azure-FDID with value '12345678-abcd-1234-abcd-12345678910a'
az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a
Add Access Restriction opening (Allow) with multiple http-header values for the same header 'X-Azure-FDID'
az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a x-azure-fdid=11111111-abcd-1234-abcd-222222222222
Required Parameters
Priority of the access restriction rule.
Optional Parameters
Allow or deny access.
Description of the access restriction rule.
Space-separated http headers in a format of <name>=<value>
.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Create access restriction rule with checking if the subnet has Microsoft.Web service endpoint enabled.
IP address or CIDR range (optional comma separated list of up to 8 ranges).
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name of the access restriction rule to add.
True if access restrictions is added for scm site.
Service Tag (optional comma separated list of up to 8 tags).
Skip validating public service tags.
The name of the slot. Default to the productions slot if not specified.
Subnet name (requires vNet name) or subnet resource id.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
VNet name.
Resource group of virtual network (default is web app resource group).
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp config access-restriction remove
Removes an Access Restriction from the webapp.
az webapp config access-restriction remove [--action {Allow, Deny}]
[--ids]
[--ip-address]
[--name]
[--resource-group]
[--rule-name]
[--scm-site {false, true}]
[--service-tag]
[--skip-service-tag-validation {false, true}]
[--slot]
[--subnet]
[--subscription]
[--vnet-name]
Examples
Remove Access Restriction named developers from the main site.
az webapp config access-restriction remove -g ResourceGroup -n AppName --rule-name developers
Remove Access Restriction named internal_agents from the scm site.
az webapp config access-restriction remove -g ResourceGroup -n AppName --rule-name internal_agents --scm-site true
Remove Access Restriction with service tag AzureFrontDoor.Backend from the main site.
az webapp config access-restriction remove -g ResourceGroup -n AppName --service-tag AzureFrontDoor.Backend
Optional Parameters
Allow or deny access.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
IP address or CIDR range (optional comma separated list of up to 8 ranges).
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name of the access restriction to remove.
True if access restriction should be removed from scm site.
Service Tag (optional comma separated list of up to 8 tags).
Skip validating public service tags.
The name of the slot. Default to the productions slot if not specified.
Subnet name (requires vNet name) or subnet resource id.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
VNet name.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp config access-restriction set
Sets if SCM site is using the same restrictions as the main site and default actions.
az webapp config access-restriction set [--default-action {Allow, Deny}]
[--ids]
[--name]
[--resource-group]
[--scm-default-action {Allow, Deny}]
[--slot]
[--subscription]
[--use-same-restrictions-for-scm-site {false, true}]
Examples
Enable SCM site to use same access restrictions as main site.
az webapp config access-restriction set -g ResourceGroup -n AppName --use-same-restrictions-for-scm-site true
Set default action to Allow for main site.
az webapp config access-restriction set -g ResourceGroup -n AppName --default-action Allow
Set default action to Deny for scm site.
az webapp config access-restriction set -g ResourceGroup -n AppName --scm-default-action Deny
Optional Parameters
Configure default action for main site.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Configure default action for scm site.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Use same access restrictions for scm site.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp config access-restriction show
Show Access Restriction settings for webapp.
az webapp config access-restriction show [--ids]
[--name]
[--resource-group]
[--slot]
[--subscription]
Examples
Get Access Restriction settings for a webapp.
az webapp config access-restriction show -g ResourceGroup -n AppName
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI