Share via

Access Restriction for Azure Web Apps - Seeking Secure Solutions for Remote Access

航 鈴木 20 Reputation points
2025-05-30T07:52:56.9666667+00:00

I'm looking for ideas on how to implement access restrictions for Azure Web Apps.

Currently, access is limited to our internal network by configuring a whitelist of internal network IP addresses in the Web App's settings: Settings > Networking > Enabled with access restrictions

We need a secure way for specific users to access the Web App from external networks (e.g., when working remotely or traveling). Adding individual user IP addresses to the current whitelist is not feasible because user IP addresses are dynamically assigned via DHCP.

Another option we considered was setting up a jump server with a static IP address and only allowing access from that server. However, establishing a secure method for users to access the jump server is proving difficult.

Given these constraints, are there any other secure methods to allow specific users to access the Web App from external networks?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
0 comments
Accepted answer
  1. Bhargavi Naragani 5,270 Reputation points Microsoft External Staff Moderator
    2025-05-30T09:03:54.1133333+00:00

    Hi @航 鈴木,

    You're currently restricting access to your Azure Web App using a whitelist of internal network IPs under:

    Settings > Networking > Access restrictions

    This works well inside your corporate network, but you want to allow specific users to securely access the Web App from outside (e.g., remote work, travel). Whitelisting external user IPs is not practical, since those IPs are often dynamically assigned via DHCP. You thought about using a jump server (bastion host), but securing access to that jump server is a challenge in itself.

    Instead of relying on static IP-based restrictions, you can enable authentication and identity-based access controls, which scale much better and offer enterprise-grade security.

    1. Configure your Web App to require login using Azure AD. This ensures only authenticated users can access it, regardless of where they're connecting from. Secure an app with Azure AD authentication - Azure App Service
    2. Use Azure AD Conditional Access to define policies such as: Allow access only from compliant devices, Block access from unknown countries, Require MFA for external users, require access from Intune-managed or Hybrid Azure AD joined devices Conditional Access in Azure Active Directory
    3. If you want network-level control in addition to identity controls, use Azure Private Endpoint to expose the app only in your VNet, and users can connect securely via VPN or Azure Virtual Desktop. Private Endpoint for Azure App Service
    4. Or use Azure Front Door with Web Application Firewall (WAF) and IP restrictions. Restrict access with Front Door and WAF

    Why This is a Better Approach:

    Feature IP Whitelisting Azure AD + Conditional Access
    Dynamic user IPs support no yes
    Per-user access control no yes
    MFA and device compliance no yes
    Scalable and maintainable no yes

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    Let me know if you have any further Queries.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.