Block Specific IP Addresses from Accessing a Web Role

Updated: May 16, 2012

You can restrict a Windows Azure web role access to a set of specified IP addresses by modifying your IIS web.config file and creating a command file which unlocks the ipSecurity section of the ApplicationHost.config file.

First, create a command file that runs when your role starts which unlocks the ipSecurity section of the ApplicationHost.config file. Create a new folder at the root level of your web role called startup and, within this folder, create a batch file called startup.cmd. Set the properties of this file to Copy Always to ensure that it will be deployed.

Add the following code to the startup.cmd file:

%windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity

Next, open the ServiceDefinition.csdef file in your web role project and add the following element:

<Startup>
   <Task commandLine=”startup\startup.cmd” executionContext=”elevated” />
</Startup>

This causes the startup.cmd batch file to be run every time the web role is initialized, ensuring that the required ipSecurity section is unlocked.

Finally, modify the system.webServer section your web role’s web.config file to add a list of IP addresses that are granted access, as shown in the following example:

<system.webServer>
  < security>
    <!—Unlisted IP addresses are denied access–>
    <ipSecurity allowUnlisted=”false”>
      <!—The following IP addresses are granted access–>
      <add allowed=”true” ipAddress=”192.168.100.1” subnetMask=”255.255.0.0″ />
      <add allowed=”true” ipAddress=”192.168.100.2″ subnetMask=”255.255.0.0″ />
    </ipSecurity>
  </security>
</system.webServer>

See Also

Concepts

Build an Application that Runs in a Cloud Service in Windows Azure