This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 41%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
How to restrict the access of Azure app service from public users. I don't want to use any VNET peering and all it cost me a lot .. i want simple and using PAAS service.
Hi
You can use the Access Restrictions under the networking blade of your app service. You can add the IP addresses for Front Door in there and you do not need to use any Vnets etc.
the list of AFD IP Addresses are in the following ranges:-
IPv4 - 147.243.0.0/16
IPv6 - 2a01:111:2050::/44
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 59%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Anshul Jain To elaborate on above said Access restrictions enables you to define a priority ordered allow/deny list that controls network access to your app and the list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
You may refer to this doc might be helpful: https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules
@Anshul Jain Just checking in to see if the above answer helped. Let me know if there are still any additional issues we can help with.
If the above answer was helpful, kindly 'Accept answer' and/or ‘Vote as helpful’ the post for benefiting the other users with a similar issue.
Right now the best solution I have came up with, if you are using it via the web.config/.htaccess.
sample from a web.config. The below would redirect them to the correct site. So if you had site abc.com this would redirect them to that.
(If looks like even Azure is recommending this
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door
)
<system.webServer>
<rewrite xdt:Transform="Insert">
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTP_X_Azure_FDID}" pattern="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://abc.com" />
</rule>
</rules>
</rewrite>
</system.webServer>
htaccess (not tested but should be close) - from https://stackoverflow.com/questions/50865917/use-htaccess-to-only-allow-requests-if-a-header-with-a-specific-value-is-presen
RewriteCond %{HTTP:X-Azure-FDID} !^xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx$ [NC]
RewriteRule ^ - [F,L]
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Hi,
I need to restrict access to a URL on API (APP Services) to one external Ip address. App service instance uses VNET.
How to get real / external IP address in application (Net Core 3.1 in linux docker container) or where to go to set up this "firewall" rule?
https://myservice.azurewebsites.com/api/restrictedurl/*
Cheers
If you are wanting to find the outbound IP address of the app service, if you goto the app services and then select the properties blade it will list the outbound ips.
Otherwise you could look at kudu and use powershell to use a service where you could try
(Invoke-WebRequest ifconfig.me/ip).Content.Trim()
If you are wanting to get the originating IP to your app here is some info.
Have you checked out this page before?
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol
You have X-Forwarded-For
If the system is going through a proxy of some sort (FrontDoor, APIM, App Gateway, Load Balancer, ...) it should put the original IP there.
You could also look at X-Azure-ClientIP.
Checked headers and got it in "X-Client-IP"