Share via

My app services all have public IPs. I want to block some external IPs from the internet, but I want to keep the IP address public for outbound traffic.

Anonymous
2024-02-13T19:23:26.7733333+00:00

We have several websites that use the Azure App Service. Some of those apps are for external communication between the app service and the internet. Others are just for internal communication. I'm trying to either take away or block the IPs that are public and don't need to be. I've used nsg's for virtual machines and vnets/subnets but I can't find a way to do this within the app service services. Help would be appreciated. Thank you! Sharyn

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,984 questions
Accepted answer
  1. TP 126.3K Reputation points Volunteer Moderator
    2024-02-13T19:59:16.3733333+00:00

    Hi Sharyn,

    If you navigate to an App Service in the portal, click Networking blade, select Enabled from select virtual networks and IP addresses, you can then create Allow/Deny rules to control access to the app.

    For example, if you wanted one of internal apps to only be available from your office's public IP address you could use the above technique to accomplish that. You would select Deny for unmatched rule action and then add Allow rule for your office's public IP.

    I'm unsure if the above covers what you want to achieve. Please add a comment below with clarification on your goals and if needed I will give further instructions.

    Thanks.

    -TP

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-02-14T08:43:57.3533333+00:00

    Hello @Anonymous You can control the inbound and outbound traffic to your Azure App Service using a combination of Access Restrictions and Azure Firewall. Here are some steps you can follow:

    1. Access Restrictions: You can define a priority-ordered allow/deny list that controls network access to your app1. The list can include IP addresses or Azure Virtual Network subnets1. When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list1. If the address isn’t allowed access based on the rules in the list, the service replies with an HTTP 403 status code.
    2. Outbound IP: Azure App Service is a multi-tenant service, and apps that are not in an App Service environment share network infrastructure with other apps3. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations3. If you want to fix the outbound IP for your App Service, you can create a VNET and a NAT Gateway.
    3. Azure Firewall: If you need more granular control over outbound traffic, you can use Azure Firewall2. This allows you to lock down the outbound traffic from your App Service app to back-end Azure resources or other network resources.
    4. Network Security Groups (NSGs): While NSGs are typically used with virtual machines and vnets/subnets, they can also be used to control access to your app by applying IP address rules

    Remember, these are general steps and might not cover all specific scenarios. Always consider your organization’s specific needs and constraints. If this information provided here helps solve your issue, please tag this as answered, so it helps further community readers, who may have similar questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.