Dynamic IP Restriction for Azure App Services
Azure app service has a fascinating feature which is Dynamic IP Restriction, using this feature we can protect our Apps services from the external attack like Distributed Denial of Services.
Two settings for protecting our Azure App Services:
Azure provides two types of settings which will make us to protect our App service:
- Deny IP Address based on the number of concurrent requests
- Deny IP Address based on the number of requests over a period of time
Let’s see how to configure this feature
How to Configure Dynamic IP Restriction for Azure Apps service?
We can configure Dynamic IP Restriction by following the below steps
Step1:
Go to App service → Development Tools → Advanced Tools → Click Go → Now Kudu page is open → Click Site extensions → Gallery → search with value of dynamic → Click + icon to install Dynamic IP Restriction for App Services.
Step2:
We need to restart App services once after installing the “Dynamic IP Restriction for App services” site extension.
Step3:
Now let’s hop into the core part, choose any of the below settings to configure, this will prevent our app service from risk
- Deny IP Address based on the number of concurrent requests
- Deny IP Address based on the number of requests over a period of time
We can configure this setting from any one of the following options.
- Web.config
- applicationHost.xdt
- Through UI
Deny IP Address based on the number of concurrent requests:
This setting will Deny the IP Address if the request is received concurrently,
Web.config:
To configure this setting, go to Advanced Tools(kudu) and open the Web.config file, we need to add the highlighted values as shown in the below image.
applicationHost.xdt:
Here we can work with the status code and values which are highlighted in the below image, the setting which is played in applicationHost.xdt will reflect immediately in Dynamic IP Restriction for App service UI.
Through Dynamic Ip Restriction for App service UI
This setting can also attain from Dynamic IP restriction for Apps services UI. Go to Advanced Tools(kudu) → Site extensions → Installed → select arrow in Dynamic IP Restriction for App service.
That’s it, now this UI seems like scrumptious fruits, which delivers all the setting in one view, here we can just play with values.
Deny IP Address based on the number of requests over a period of time:
This setting is to deny the IP Address if the request is received from a single IP over a while.
Web.config:
To configure this setting, go to Advanced Tools(kudu) and open the Web.config file, we need to add the highlighted values as shown in the below image.
applicationHost.xdt:
See the below image to configure Deny Ip Address based on several requests in applicationHost.xdt file. Here we need to work with the status code and values which is highlighted in below image
Through Dynamic Ip Restriction for App service UI:
Enable Logging Mode only:
Enable the Logging Mode only is used for illustrating the error in the browser, here we list down the Enable the Logging Mode only values with corresponding HTTP status code.
| Values | Returns HTTP status code |
|---|---|
| AbortRequest | 0 |
| Unauthorized | 401 |
| Forbidden | 403 |
| NotFound | 404 |
This above status can be set from web.config or applicationHost.xdt or through UI.
Web.config
applicationHost.xdt:
Through Dynamic Ip Restriction for App service UI:
User experience:
In our example, We set following setting from Dynamic Ip Restriction for App service UI.
- Maximum number of requests: 2
- Time Period: 4000 milliseconds
- Deny Action: NotFound
which is shown below.
As a result, the error shows as “The resource you are looking for has been removed, had its name changed, or is temporarily unavailable” with 404 Not found error.
Archives
Tags
