az webapp config access-restriction

  • Reference

Methods that show, set, add, and remove access restrictions on a webapp.

Commands

Name Description Type Status
az webapp config access-restriction add

Adds an Access Restriction to the webapp.

 Core GA
az webapp config access-restriction remove

Removes an Access Restriction from the webapp.

 Core GA
az webapp config access-restriction set

Sets if SCM site is using the same restrictions as the main site and default actions.

 Core GA
az webapp config access-restriction show

Show Access Restriction settings for webapp.

 Core GA

az webapp config access-restriction add

Adds an Access Restriction to the webapp.

az webapp config access-restriction add --priority
                                        [--action {Allow, Deny}]
                                        [--description]
                                        [--http-headers]
                                        [--ids]
                                        [--ignore-missing-endpoint {false, true}]
                                        [--ip-address]
                                        [--name]
                                        [--resource-group]
                                        [--rule-name]
                                        [--scm-site {false, true}]
                                        [--service-tag]
                                        [--slot]
                                        [--subnet]
                                        [--subscription]
                                        [--vnet-name]
                                        [--vnet-resource-group]

Examples

Add Access Restriction opening (Allow) named developers for IPv4 address 130.220.0.0/27 with priority 200 to main site.

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name developers --action Allow --ip-address 130.220.0.0/27 --priority 200

Add Access Restriction opening (Allow) named build_server for IPv4 address 192.168.0.0/27 with priority 250 to scm site.

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name build_server --action Allow --ip-address 192.168.0.0/27 --priority 250 --scm-site true

Add Access Restriction opening (Allow) named app_gateway for Subnet app_gw in vNet core_weu with priority 300 to main site.

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name app_gateway --action Allow --vnet-name core_weu --subnet app_gateway --priority 300

Add Access Restriction opening (Allow) named internal_agents for Subnet build_agents in vNet corp01 with priority 500 to scm site; and ignore service endpoint registration on the Subnet.

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name internal_agents --action Allow --vnet-name corp01 --subnet build_agents --priority 500 --scm-site true --ignore-missing-endpoint true

Add Access Restriction opening (Allow) named remote_agents in vNet 'corp01' in rg 'vnets' with subnet 'agents'

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --vnet-name corp01 --subnet agents --priority 500 --vnet-resource-group vnets

Add Access Restriction opening (Allow) named agents in vNet 'corp01' in rg 'vnets' with subnet 'agents' (using subnet resource id)

az webapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --priority 800 --subnet '/subscriptions/<subscription-id>/resourceGroups/vnets/providers/Microsoft.Network/virtualNetworks/corp01/subnets/agents'

Add Access Restriction opening (Allow) with no rule name for service tag AzureCloud

az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureCloud

Add Access Restriction opening (Allow) with no rule name for service tag AzureFrontDoor.Backend and http-header X-Azure-FDID with value '12345678-abcd-1234-abcd-12345678910a'

az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a

Add Access Restriction opening (Allow) with multiple http-header values for the same header 'X-Azure-FDID'

az webapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a x-azure-fdid=11111111-abcd-1234-abcd-222222222222

Required Parameters

--priority -p

Priority of the access restriction rule.

Optional Parameters

--action

Allow or deny access.

accepted values: Allow, Deny
default value: Allow
--description

Description of the access restriction rule.

--http-headers

Space-separated http headers in a format of <name>=<value>.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ignore-missing-endpoint -i

Create access restriction rule with checking if the subnet has Microsoft.Web service endpoint enabled.

accepted values: false, true
default value: False
--ip-address

IP address or CIDR range (optional comma separated list of up to 8 ranges).

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-name -r

Name of the access restriction rule to add.

--scm-site

True if access restrictions is added for scm site.

accepted values: false, true
default value: False
--service-tag

Service Tag (optional comma separated list of up to 8 tags).

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subnet

Subnet name (requires vNet name) or subnet resource id.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vnet-name

VNet name.

--vnet-resource-group

Resource group of virtual network (default is web app resource group).

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az webapp config access-restriction remove

Removes an Access Restriction from the webapp.

az webapp config access-restriction remove [--action {Allow, Deny}]
                                           [--ids]
                                           [--ip-address]
                                           [--name]
                                           [--resource-group]
                                           [--rule-name]
                                           [--scm-site {false, true}]
                                           [--service-tag]
                                           [--slot]
                                           [--subnet]
                                           [--subscription]
                                           [--vnet-name]

Examples

Remove Access Restriction named developers from the main site.

az webapp config access-restriction remove -g ResourceGroup -n AppName --rule-name developers

Remove Access Restriction named internal_agents from the scm site.

az webapp config access-restriction remove -g ResourceGroup -n AppName --rule-name internal_agents --scm-site true

Remove Access Restriction with service tag AzureFrontDoor.Backend from the main site.

az webapp config access-restriction remove -g ResourceGroup -n AppName --service-tag AzureFrontDoor.Backend

Optional Parameters

--action

Allow or deny access.

accepted values: Allow, Deny
default value: Allow
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ip-address

IP address or CIDR range (optional comma separated list of up to 8 ranges).

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-name -r

Name of the access restriction to remove.

--scm-site

True if access restriction should be removed from scm site.

accepted values: false, true
default value: False
--service-tag

Service Tag (optional comma separated list of up to 8 tags).

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subnet

Subnet name (requires vNet name) or subnet resource id.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vnet-name

VNet name.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az webapp config access-restriction set

Sets if SCM site is using the same restrictions as the main site and default actions.

az webapp config access-restriction set [--default-action {Allow, Deny}]
                                        [--ids]
                                        [--name]
                                        [--resource-group]
                                        [--scm-default-action {Allow, Deny}]
                                        [--slot]
                                        [--subscription]
                                        [--use-same-restrictions-for-scm-site {false, true}]

Examples

Enable SCM site to use same access restrictions as main site.

az webapp config access-restriction set -g ResourceGroup -n AppName --use-same-restrictions-for-scm-site true

Set default action to Allow for main site.

az webapp config access-restriction set -g ResourceGroup -n AppName --default-action Allow

Set default action to Deny for scm site.

az webapp config access-restriction set -g ResourceGroup -n AppName --scm-default-action Deny

Optional Parameters

--default-action

Configure default action for main site.

accepted values: Allow, Deny
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--scm-default-action

Configure default action for scm site.

accepted values: Allow, Deny
--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--use-same-restrictions-for-scm-site

Use same access restrictions for scm site.

accepted values: false, true
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az webapp config access-restriction show

Show Access Restriction settings for webapp.

az webapp config access-restriction show [--ids]
                                         [--name]
                                         [--resource-group]
                                         [--slot]
                                         [--subscription]

Examples

Get Access Restriction settings for a webapp.

az webapp config access-restriction show -g ResourceGroup -n AppName

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.