Security Series: App Service IP Restrictions

Index
TLDR;
Azure App Service IP Restrictions are powerful and an easy win in terms of base security for Sitecore sites. However, the list of rules becomes unwieldy to manage when adding/removing/editing rules at scale. As developers, we are digital aristocrats, and we should not be burdened by the monotonous toil of pointing and clicking over 9000 times in one sitting. Instead, we'll use a PowerShell script within a dedicated Azure DevOps release pipeline to manage the rules.

Overview
Imagine you have a list of 200 IP addresses that you want to allow access to your App Service. Whether due to cost, complexity, or simply project constraints, you're not using a WAF such as Cloudflare or Front Door, so you're stuck with App Service IP Restrictions. There are a number of matters to figure out:
- How to format the IP list
- Where to store the IP list
- How to get the IP list into the script
- How to apply the IP list to the App Service
How to format the IP list
Presumably, each of your IP addresses will be accompanied with a description. This step is entirely up to you, but in my case I'm going with JSON. JSON ensures that the list is extensible and easy to parse.
Where to Store the IP List
You can store the IP list in a number of different places. Considerations to keep in mind are:
- The format of the list
- The size of the list (the storage location may have character / size limits)
- The editing experience -- where you store the list should be compatible with the format of the list. For example, editing JSON in a single line text field isn't a great experience and may be error prone.
- The ability to "version" the list
- The ability to reference and adjust the IPs depending on the environment (dev/test/prod)
Some options for where to store the IP list are:
- Key Vault
- Blob Storage
- Code repo (not recommended)
- DevOps variables
- Directly in the script that calls the Azure CLI
The Script
As mentioned previously, we'll use an Azure DevOps release pipeline with one step which is an inline PowerShell script. The script will fetch the IP list from the source, and then apply the IP list to the App Service using the Azure CLI. Beyond that, the code speaks for itself.
A few followup notes:
- The Azure CLI is slow. In my experience, each add operation took about 10 seconds, so this will eat up your release minutes.
- For the "Advanced tool site" (
your-app-service-cm.scm.azurewebsites.net/DebugConsole
) restrictions, you can easily set it to use the same rules as the main site. Just set it and forget it in the Azure Portal.
Where This Method of Security Falls Short
- There is a limit of 512 access restriction rules, so use CIDR. Tie it to your internal IDP server. You can add rules for that.
- Updating via Azure CLI is slow.
- If you want to analyze requests that get served a 403 (which may be useful in some cases), you won't be able to see them neither in the Web Server Logs log stream, nor in Application Insights requests.
Play smart,
-MG