I am writing this post because I found it a little difficult figuring out how to add IP Address restriction in my MVC project deployed to Windows Azure. This allows you to deploy a web site that is only accessible by specifically defined IP addresses within your web.config.
At this point, you may already realize that you need to modify your IIS web.config to add something that looks like this:
<!—allowed IP addresses –>
<add allowed=”true” ipAddress=”127.55.0.0″ subnetMask=”255.255.0.0″ />
<add allowed=”true” ipAddress=”220.127.116.11″ subnetMask=”255.255.0.0″ />
However, for me, I was surprised to find that this did not in fact block the IP addresses and this is where I was stuck. The issue is that by default Windows Azure IIS does not have the “IP and Domain Restrictions” Role Service installed which means that the above web.config IP security will be ignored.
You could connect to your Windows Azure Web Role using Remote Desktop to enable this, but this will just get disabled if your service ever restarts and your role is re-imaged. So to solve this problem I added a startup.cmd task to my project. I am using MVC in my web role, so to start I simply added a new folder at the root level called startup within my MVC project. Within that folder I created a file called startup.cmd.
It is important to make sure this file is deployed so set the properties to “Copy Always”.
The contents of the startup.cmd should look like this:
@echo Installing “IPv4 Address and Domain Restrictions” feature
%windir%\System32\ServerManagerCmd.exe -install Web-IP-Security
@echo Unlocking configuration for “IPv4 Address and Domain Restrictions” feature
%windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity
Next you will open the ServiceDefinition.csdef located within your Windows Azure Web Role project and add the following lines just below the <WebRole name=”…”>
<Task commandLine=”startup\startup.cmd” executionContext=”elevated” />
That is it! After this, the project can be deployed and IIS will install the “IP and Domain Restrictions” Role Service.