azure-docs
azure-docs copied to clipboard
MicrosoftDocs
Microsoft.Web/sites does not respect ipSecurityRestrictions For Deny All in ARM Templates
There is corner case in creating a new Microsoft.Web/sites resource in ARM where in ipSecurityRestrictions is not respected when attempting to block all traffic when created without additional firewall rules.
Example:
This ignores the rule.
"properties": { "siteConfig": { "ipSecurityRestrictions": [ { "ipAddress": "Any", "action": "Deny", "priority": 2147483647, "name": "Deny all", "description": "Deny all access" } ],
The issue is resolve by adding this:
"ipSecurityRestrictions": [ { "ipAddress": "Any", "action": "Deny", "priority": 2147483647, "name": "Deny all", "description": "Deny all access" } ], "ipSecurityRestrictionsDefaultAction": "Deny"
So, we replicated the issue/scenario at our end, and we had succeeded with the parameter of "ipSecurityRestrictionsDefaultAction" as "Deny", and the result was the expected, we blocked all the traffic of the app service by default, this is important to add since in a future cx's will need to add this manually and if they want to achieve it via ARM template.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: d90bbf62-44f9-30a6-d6ea-bbf776f6efc5
- Version Independent ID: b3961eac-6c70-b345-f48c-e4c0ec67059c
- Content: Azure App Service access restrictions - Azure App Service
- Content Source: articles/app-service/app-service-ip-restrictions.md
- Service: app-service
- GitHub Login: @madsd
- Microsoft Alias: madsd
Hi @v-mariarob, thanks for your feedback! We will review and update the template in the doc soon.
There is no need to define the Deny rule in ipSecurityRestrictions, it will be automatically generated by setting DefaultAction. We ignore any rule with ipAddress: "Any".
Dihantar daripada telefon saya-------- Mesej asal --------Daripada: Mads Damgård @.>Tarikh: Isn, 21 Nov 2022, 6:30 PTGKepada: MicrosoftDocs/azure-docs @.>Sk: Faizul mansor @.>, Manual @.>Tajuk: Re: [MicrosoftDocs/azure-docs] Microsoft.Web/sites does not respect ipSecurityRestrictions For Deny All in ARM Templates (Issue #101666) There is no need to define the Deny rule in ipSecurityRestrictions, it will be automatically generated by setting DefaultAction. We ignore any rule with ipAddress: "Any".
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>
Thanks for the clarification and adding your input @madsd
We will now proceed to close this thread. If there are further questions regarding this matter, please tag us in your reply. We will gladly continue the discussion and we will reopen the issue.
@Grace-MacJones-MSFT I don't see a merge that includes documentation for this setting? While @madsd is correct that you do not need to define the Deny Rule you absolutely need to provide ipSecurityRestrictions which is currently undocumented. The whole point of this was to document this, currently undocumented, flag.
@Grace-MacJones-MSFT Following up on this again, was the documentation improved? If not this issue is NOT resolved @v-mariarob
@Grace-MacJones-MSFT Hello Grace, as @aolszowka mentioned and explained a little bit further, the idea of this issue is to add the part of the ipSecurityRestrictions into the documentation, since it is not mentioned, and it can be confusing and lead to error. I would really appreciate it if we can mark this issue as open until we have some resolution.
Thanks in advance!
@aolszowka we will be adding updated documentation next week. I will let you know when it is ready.
@madsd Thanks for update! @aolszowka Thanks again for the feedback! I have assigned the issue to the content author to review further and update the document as appropriate.
@madsd @SnehaAgrawal-MSFT Thank you both for the help! I really appreciate it; I'll be pending for the release!