Get and set Azure WebApp IP restrictions using PowerShell

Today I want to share with you my 2 functions which will help you to manage Azure WebApp IP restrictions using PowerShell.

IP restrictions in Azure WebApp allows define IPs from which WebApp / API will be available.
All requests which will not match IPs defined in IP restrictions will be blocked.

How functions works?

Both functions are using Azure Resource Manager module in order to gather and set all information about IP restirctions.
Get-WebAppIPRestrictions function in result show all Azure WebApp IP restrictions in subscription.
Set-WebAppIPRestrictions function require to provide 4 parameters:
– WebApp – name of the application,
– ResourceGroupName – name of the Resource Group in which WebApp is created,
– IPAddress – IPAddress which should be added in restriction list for WebApp,
– Mask- subnet mask of provided IP address.

Get-WebAppIPRestrictions function:
function Get-WebAppIPRestrictions {
               
    if (!(Get-AzureRmContext)) {
        Write-Host "Please login to your Azure account"
        Login-AzureRmAccount
    }
    $APIVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
    $WebApps = Get-AzureRmWebApp
    foreach ($webApp in $WebApps) {

        $WebAppName = $WebApp.SiteName
        $WebAppRGName = $WEbApp.ResourceGroup
        $WebAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName  $WebAppName -ResourceGroupName $WebAppRGName -ApiVersion $APIVersion)
        $IpSecurityRestrictions = $WebAppConfig.Properties.ipsecurityrestrictions
        if ($IpSecurityRestrictions -eq $null) {
            Write-Host "No IP restrictions found for WebApp $WebAppName ."
            
        }
        else {
            Write-Host "IP restrictions set for WebApp $WebAppName : "
            $IpSecurityRestrictions
            
        }
    }
}
Set-WebAppIPRestrictions function:
function Set-WebAppIPRestrictions {
    Param(
        [Parameter(Position = 0, Mandatory = $true, HelpMessage = "WebApp name", ValueFromPipeline = $false)] 
        $WebApp,
        [Parameter(Position = 1, Mandatory = $true, HelpMessage = "Resource group name", ValueFromPipeline = $false)] 
        $ResourceGroupName,
        [Parameter(Position = 2, Mandatory = $true, HelpMessage = "Restricted IP address", ValueFromPipeline = $false)] 
        $IPAddress,
        [Parameter(Position = 4, Mandatory = $true, HelpMessage = "Restricted IP address mask", ValueFromPipeline = $false)] 
        $Mask
         
    )
             
    If (!(Get-AzureRmContext)) {
        Write-Host "Please login to your Azure account"
        Login-AzureRmAccount
    }

    $APIVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
    $WebAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $WebApp -ResourceGroupName $ResourceGroupName -ApiVersion $APIVersion)
    $IpSecurityRestrictions = $WebAppConfig.Properties.ipsecurityrestrictions

    if ($ipAddress -in $IpSecurityRestrictions.ipAddress) {
        "IP address $IPAddress is already added as restricted to $WebApp."          
    }
    else {
        $webIP = [PSCustomObject]@{ipAddress = ''; subnetMask = ''}
        $webIP.ipAddress = $ipAddress
        $webIP.subnetMask = $Mask
        if($IpSecurityRestrictions -eq $null){
            $IpSecurityRestrictions = @()
        }

        [System.Collections.ArrayList]$ArrayList = $IpSecurityRestrictions
        $ArrayList.Add($webIP) | Out-Null

        $WebAppConfig.properties.ipSecurityRestrictions = $ArrayList
        $WebAppConfig | Set-AzureRmResource  -ApiVersion $APIVersion -Force | Out-Null
        Write-Host "New restricted IP address $IPAddress has been added to WebApp $WebApp"
    }
 
    
}

I hope it will be usefull for some of you 😉
Enjoy!

2 thoughts on “Get and set Azure WebApp IP restrictions using PowerShell

  1. Was a big help, but had to make mods to get it to work, probably because of newer API version? For me, with API version 2018-02-01, had to make following changes:

    1. Connect-AzureRmAccount instead of Login-AzureRmAccount
    2. Check for If (!(Get-AzureRmContext).Account)
    3. $webIP object is different, properties are ipAddress, action, tag, so
    $webIP = [PSCustomObject]@{ipAddress = ”; action = ”; tag = ”}
    action is usually ‘Allow’, tag is ‘Default’
    4. ipAddress is in CIDR notation, do not use separate netmask.

  2. API Version 2018-02-01 seems to have broken the Set-WebAppIPRestrictions function, it’ll complain that IpSecurityRestriction.IpAddress is invalid when attempting the Set-AzureRmResource command.

    Change ‘.ApiVersions[0]’ to ‘.ApiVersions[1]’ to get it to use the previous API version,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.