How to Block IP Addresses in a Windows Azure Web Role

October 24th, 2011

I am writing this post because I found it a little difficult figuring out how to add IP Address restriction in my MVC project deployed to Windows Azure.  This allows you to deploy a web site that is only accessible by specifically defined IP addresses within your web.config.

At this point, you may already realize that you need to modify your IIS web.config to add something that looks like this:

<system.webServer>
<security>
<ipSecurity allowUnlisted=”false”>
<!—allowed IP addresses –>
<add allowed=”true” ipAddress=”127.55.0.0″ subnetMask=”255.255.0.0″ />
<add allowed=”true” ipAddress=”165.52.0.0″ subnetMask=”255.255.0.0″ />
</ipSecurity>
</security>
</system.webServer>

However, for me, I was surprised to find that this did not in fact block the IP addresses and this is where I was stuck.  The issue is that by default Windows Azure IIS does not have the “IP and Domain Restrictions” Role Service installed which means that the above web.config IP security will be ignored.

You could connect to your Windows Azure Web Role using Remote Desktop to enable this, but this will just get disabled if your service ever restarts and your role is re-imaged.  So to solve this problem I added a startup.cmd task to my project.  I am using MVC in my web role, so to start I simply added a new folder at the root level called startup within my MVC project.  Within that folder I created a file called startup.cmd.

startup.cmd

It is important to make sure this file is deployed so set the properties to “Copy Always”.

copy always

The contents of the startup.cmd should look like this:

@echo off
@echo Installing “IPv4 Address and Domain Restrictions” feature
%windir%\System32\ServerManagerCmd.exe -install Web-IP-Security
@echo Unlocking configuration for “IPv4 Address and Domain Restrictions” feature
%windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity

Next you will open the ServiceDefinition.csdef located within your Windows Azure Web Role project and add the following lines just below the <WebRole name=”…”>

<Startup>
<Task commandLine=”startup\startup.cmd” executionContext=”elevated” />
</Startup>

That is it!  After this, the project can be deployed and IIS will install the  “IP and Domain Restrictions” Role Service.

4 Responses to “How to Block IP Addresses in a Windows Azure Web Role”

  1. … [Trackback]…

    [...] Read More Infos here: blog.liamcavanagh.com/2011/10/how-to-block-ip-addresses-in-windows-azure/ [...]…

  2. You cannot chance a company by fear, as the way to eliminate fear is always to avoid criticism. And the way to avoid criticism is usually to loosen up.
    Carpe per diem – seize the check.

  3. Gertjan says:

    Also check out http://msdn.microsoft.com/en-us/library/windowsazure/jj154098.aspx for a description of the above ip restrictions

RSS feed for comments on this post.

Leave a Reply