Swimburger

Bulk add Application Insights Availability Test IPs to Azure App Service Access Restrictions using Az PowerShell

Niels Swimberghe

Niels Swimberghe - - Azure

Follow me on Twitter, buy me a coffee

Azure logo holding stop sign and PowerShell logo

There's a feature called "Access Restrictions" inside of Azure App Service which allows you to tighten down who can communicate with your web application. You can lock your service down to a list of IPv4 ranges, IPv6 ranges, or to your Virtual Network. You can follow Microsoft's documentation to set up these restrictions using the web interface.
If you are using Azure Application Insights Availability Tests against your App Service internal DNS and enabled Access Restrictions, those availability tests will stop working. When you're using Access Restrictions, it will also restrict access to all Azure Services including the availability tests.
You can find all IP ranges from docs.microsoft.com and manually add all 300+ IP ranges to the Access Restrictions. OR you could save a few hours of time and use PowerShell to do it for you.

Bulk insert Availability Test IP Ranges script #

In a previous post, I shared a script you can use to bulk insert IP Access Restrictions to your Azure App Service using PowerShell. In this post I'll build upon that script and add the functionality necessary to insert all the Availability Test IP ranges. The following script will:

  1. Read the "AvailabilityTestIps.txt" file and split it into lines
  2. Determine whether the line is a header/title.
    • If header, store it as the current group and skip to the next line.
    • If empty, the next line will be a header so the $IsHeader is set to $True and skips to the next line.
    • Else continue to 3
  3. Determine if the line contains "/"
    • If contain "/", then use the line as an IP range
    • else add "/32" to turn it into a valid IP range
  4. Use the current group and IP range to create a new Hashtable following the Access Restrictions format
  5. Add the Hashtable to the list of Access Restrictions
  6. Pass all Access Restrictions to the "AddRestrictedIPAzureAppService.ps1" script.
Param( 
    [Parameter(Mandatory = $true)] 
    [string] $ResourceGroupName, 
    [Parameter(Mandatory = $true)] 
    [string] $AppServiceName, 
    [Parameter(Mandatory = $true)] 
    [string] $SubscriptionId, 
    [Parameter(Mandatory = $true)] 
    [string] $RulePriority
)

$ErrorActionPreference = "Stop"

$AvailabilityTestIpsFile = Get-Content "$PSScriptRoot/AvailabilityTestIps.txt"
$AvailabilityTestIpsLines = $AvailabilityTestIpsFile -split '\r?\n|\r'

$IsHeader = $True
$CurrentGroup = $Null;
$NewIpRestrictions = @();
ForEach($Line in $AvailabilityTestIpsLines){
    if($IsHeader){
        $CurrentGroup = $Line;
        $IsHeader = $False
        continue
    }

    if([System.String]::IsNullOrEmpty($Line)){
        $IsHeader = $True #next line will be header
        continue
    }

    $Ip = $Null
    if($Line.Contains("/")){
        $Ip = $Line;
    }else{
        $Ip = "$Line/32";
    }

    $NewIpRestrictions += @{
        ipAddress = $Ip; 
        action = "Allow";
        priority = $RulePriority;
        name = "Av IP $CurrentGroup";
        description = "Availability Test IP $CurrentGroup";
        tag = "Default";
    }
}

& "$PSScriptRoot\AddRestrictedIPAzureAppService.ps1" `
    -ResourceGroupName $ResourceGroupName `
    -AppServiceName $AppServiceName `
    -SubscriptionId $SubscriptionId `
    -NewIpRules $NewIpRestrictions

 Usage:

.\AddAvailabilityRestrictedIPApp.ps1 `
    -ResourceGroupName "YourResourceGroup" `
    -AppServiceName "YourAppServiceName" `
    -SubscriptionId "YourSubscriptionGuid" `
    -RulePriority "100"

I hope this script saved you some time!

Related Posts

Related Posts