Bulk add Application Insights Availability Test IPs to Azure App Service Access Restrictions using Az PowerShell
There's a feature called "Access Restrictions" inside of Azure App Service which allows you to tighten down who can communicate with your web application. You can lock your service down to a list of IPv4 ranges, IPv6 ranges, or to your Virtual Network. You can follow Microsoft's documentation to set up these restrictions using the web interface.
If you are using Azure Application Insights Availability Tests against your App Service internal DNS and enabled Access Restrictions, those availability tests will stop working. When you're using Access Restrictions, it will also restrict access to all Azure Services including the availability tests.
You can find all IP ranges from docs.microsoft.com and manually add all 300+ IP ranges to the Access Restrictions. OR you could save a few hours of time and use PowerShell to do it for you.
Bulk insert Availability Test IP Ranges script #
In a previous post, I shared a script you can use to bulk insert IP Access Restrictions to your Azure App Service using PowerShell. In this post I'll build upon that script and add the functionality necessary to insert all the Availability Test IP ranges. The following script will:
- Read the "AvailabilityTestIps.txt" file and split it into lines
- Determine whether the line is a header/title.
- If header, store it as the current group and skip to the next line.
- If empty, the next line will be a header so the $IsHeader is set to $True and skips to the next line.
- Else continue to 3
- Determine if the line contains "/"
- If contain "/", then use the line as an IP range
- else add "/32" to turn it into a valid IP range
- Use the current group and IP range to create a new Hashtable following the Access Restrictions format
- Add the Hashtable to the list of Access Restrictions
- Pass all Access Restrictions to the "AddRestrictedIPAzureAppService.ps1" script.
Param( [Parameter(Mandatory = $true)] [string] $ResourceGroupName, [Parameter(Mandatory = $true)] [string] $AppServiceName, [Parameter(Mandatory = $true)] [string] $SubscriptionId, [Parameter(Mandatory = $true)] [string] $RulePriority ) $ErrorActionPreference = "Stop" $AvailabilityTestIpsFile = Get-Content "$PSScriptRoot/AvailabilityTestIps.txt" $AvailabilityTestIpsLines = $AvailabilityTestIpsFile -split '\r?\n|\r' $IsHeader = $True $CurrentGroup = $Null; $NewIpRestrictions = @(); ForEach($Line in $AvailabilityTestIpsLines){ if($IsHeader){ $CurrentGroup = $Line; $IsHeader = $False continue } if([System.String]::IsNullOrEmpty($Line)){ $IsHeader = $True #next line will be header continue } $Ip = $Null if($Line.Contains("/")){ $Ip = $Line; }else{ $Ip = "$Line/32"; } $NewIpRestrictions += @{ ipAddress = $Ip; action = "Allow"; priority = $RulePriority; name = "Av IP $CurrentGroup"; description = "Availability Test IP $CurrentGroup"; tag = "Default"; } } & "$PSScriptRoot\AddRestrictedIPAzureAppService.ps1" ` -ResourceGroupName $ResourceGroupName ` -AppServiceName $AppServiceName ` -SubscriptionId $SubscriptionId ` -NewIpRules $NewIpRestrictions
Usage:
.\AddAvailabilityRestrictedIPApp.ps1 ` -ResourceGroupName "YourResourceGroup" ` -AppServiceName "YourAppServiceName" ` -SubscriptionId "YourSubscriptionGuid" ` -RulePriority "100"
- You need to save both scripts to your disk and make sure they're in the same folder. Download the scripts from this GitHub gist.
- You need to save the "AvailablilityTestIps.txt" file to the same folder, and update it with the IP's from docs.microsoft.com.
- You need to have the Az PowerShell module installed.
- The RulePriority matters in case you already have access restrictions and will determine the order of evaluation when a request is made against your service.
I hope this script saved you some time!
