问题描述

我们有一个在 Azure 中部署为应用服务的 Web 应用.我们希望通过一个 IP 地址白名单来限制对它的访问，这可以在某些 Azure 应用服务设置中完成，而不是在我们在项目中拥有的 web.config 中完成.

目前，这就是我们在环境中进行 IP 地址限制的方式.

• 生产:我们为应用服务设置了 VNet 集成.我们将 NSG 附加到 VNet 的 Subnet 并且从 NSG 我们可以控制入站和出站访问.

• Staging: 我们的 web.config 中有以下配置块，其中包含允许访问我们的应用服务的白名单 IP 地址登台服务器.

  <安全><ipSecurity allowUnlisted="false" denyAction="NotFound"><add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add><add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add></ipSecurity></安全>

• Development(local):我们必须取消注释我们本地开发机器中的 <security> 配置块，因为我们并不真正需要它.它会导致错误，请看下面的截图.

这是HttpFailre_09-07-33.html的一些内容

模块 IpRestrictionModule通知开始请求处理程序 aspNetCore错误代码 0x80070021配置错误 此配置部分不能用于此路径.当该部分锁定在父级别时会发生这种情况.锁定是默认情况下 (overrideModeDefault="Deny") 或由具有 overrideMode="Deny" 或旧 allowOverride="false" 的位置标记显式设置的.

我们想从 web.config 中完全删除这个 <security> 块，因为另一个原因，我们不希望 IP 地址进入生产环境.

而且，我们不允许在我们的暂存服务器中进行 VNet 集成(管理的东西，呃！任何削减成本的东西！).

那么有没有办法限制 Azure App Service 中的 IP 地址?

1.我们可以使用web.config来限制你提到的IP地址

2.我们可以从 IIS 管理器连接到 WebApp，我们可以轻松配置限制 IP.更多详细信息请参考

b.将 ipSecurityRestrictions 更改为数组值.

c.点击Put按钮发送请求.

配置错误此配置部分不能在此路径中使用

如果我们不解锁处理程序，我们需要解锁处理程序，更多信息请参考另一个SO 线程.以下是从 SO 线程中截取的内容.

1) 在连接树中(在 IIS 中)，转到您的服务器节点，然后转到您的网站.

2) 对于网站，在右侧窗口中，您将看到管理下的配置编辑器.

3) 双击配置编辑器.

4) 在打开的窗口中，您会在顶部找到一个下拉列表.从下拉列表中选择system.webServer/handlers".

5) 在右侧，还有另一个下拉菜单.>选择ApplicationHost.Config"

6) 在最右侧的窗格中，您会在部分"标题下找到解锁部分".点击那个.

7) 一旦应用程序主机上的处理程序被解锁，您的网站应该可以正常运行.

We have a web app that is deployed as an App Service in Azure. We would like to restrict access to it by having a white list of IP addresses that can be done in some Azure App Service setting and not in web.config that we have inside the project.

Currently, this is how we do IP address restriction in our environments.

• Production: We have VNet Integration setup for the App Service. We attached an NSG to the VNet's Subnet and from the NSG we can control inbound and outbound access.

• Staging: We have the following block of configuration in our web.config that contains the whitelisted IP addresses that are allowed to access the App Service in our staging server.

  <security>
      <ipSecurity allowUnlisted="false" denyAction="NotFound">
          <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
          <add allowed="true" ipAddress="some ip address" subnetMask="255.255.255.254"></add>
      </ipSecurity>
  </security>
  

• Development(local): We have to uncomment the <security> configuration block in our local development machines coz we don't really need it. And it causes an error, please see screenshot below.

This is some the contents of the HttpFailre_09-07-33.html

Module         IpRestrictionModule
Notification   BeginRequest
Handler        aspNetCore
Error Code     0x80070021
Config Error   This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

We would like to completely remove this <security> block from web.config because for another reason, we don't want the IP addresses to reach production.

And also, we are not allowed to do VNet Integration in our Staging server (management stuff, duh! cost-cutting whatever!).

So is there a way to restrict IP addresses in Azure App Service?

1.We could use web.config to restrict IP address as you mentioned

2.We could connect to a WebApp from IIS manager and we can config restrict IP easily. More detail info please refer blog.

3.We could use REST API to do that, and we could easily do it with Azure Resource Exploer(https://resources.azure.com/). We also could do that with PowerShell cmdlets detail info please refer to another SO Thread. The following is the simple steps about how to use azure resource explorer to do that.

a. Open azure resource explorer and select the corresponding web site config web option to click the Edit button.

b. Change ipSecurityRestrictions to an array value.

c. Click the Put button to send request.

If we do not unlock the handlers, we need to unlock the handlers, more info please refer to another SO Thread. Following is the snipped from the SO thread.

这篇关于如何使用 Azure 门户中的设置限制对应用服务的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！