Add/Update IP Restrictions on Azure WebApp Dynamically with PowerShell
akhilsharmaazuresecurity

Add/Update IP Restrictions on Azure WebApp Dynamically with PowerShell

Well, it’s exactly a month since my last post on estimation of parallel jobs on AzureDevOps. I was away all this while due to a shoulder injury. I got both my shoulders dislocated and was hospitalized due to that for quite some while. I finally got to working full time last week only and here I’m back today with a small yet powerful trick to add or update IP restrictions on an Azure WebApp dynamically through Powershell.

Let’s step up the context first. I was working in Azure DevOps Pipelines and had a requirement to add and allow the IP of my hosted agent in the IP Restrictions of Azure WebApp. I searched through the Azure Powershell cmdlets but failed to find any cmdlet that would do this job in a single command. It was then time to implement a script and get the job done. I referred to a few scripts online available by different authors and came up with a script that would add and update the IP of my hosted agent in the Azure WebApp each time upon run.

Script:

function Add-AzureWebAppIpRestrictionRule
{
    [CmdletBinding()]
    Param
    (
        # Name of the resource group containing the WebApp.
        [Parameter(Mandatory=$true, Position=0)]
        $ResourceGroupName, 
 
        # Name of your Web App.
        [Parameter(Mandatory=$true, Position=1)]
        $WebAppName, 
 
        # rule to add.
        [Parameter(Mandatory=$true, Position=2)]
        [PSCustomObject]$rule
    )
 
    $ApiVersions = Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web |
        Select-Object -ExpandProperty ResourceTypes |
        Where-Object ResourceTypeName -eq 'sites' |
        Select-Object -ExpandProperty ApiVersions
 
    $LatestApiVersion = $ApiVersions[0]
 
    $WebAppConfiguration = Get-AzureRmResource -ResourceType 'Microsoft.Web/sites/config' -ResourceName $WebAppName -ResourceGroupName $ResourceGroupName -ApiVersion $LatestApiVersion
 
    $WebAppConfiguration.Properties.ipSecurityRestrictions =  $WebAppConfiguration.Properties.ipSecurityRestrictions + @($rule) |
        Group-Object name |
        ForEach-Object { $_.Group | Select-Object -Last 1 }
 
    Set-AzureRmResource -ResourceId $WebAppConfiguration.ResourceId -Properties $WebAppConfiguration.Properties -ApiVersion $LatestApiVersion -Force
}
 
#Get the IP Address of Host
$clientIp = Invoke-WebRequest 'https://api.ipify.org' | Select-Object -ExpandProperty Content
 
#Customise the Rule
$rule = [PSCustomObject]@{
    ipAddress = "$($clientIp)/32"
    action = "Allow"
    priority = 130
    name = "AzureDevOps"
    description = "Automatically added ip restriction for WebApp"
}
 
Add-AzureWebAppIpRestrictionRule -ResourceGroupName "$(Azure.ResourceGroup)" -WebAppName "$(Azure.WebAppName)" -rule $rule

The above script is from GitHub link.

This script will first get the public IP Address of the host machine. Then, that IP will get added to the custom rule that is to be set on the Azure WebApp. The priority and the action to allow or deny rule can be set in this rule block.

We, then get the Azure WebApp’s configuration and add/update the IP restrictions of the WebApp by setting the updated configuration.

Access Restrictions – Azure WebApp

References: