DEV Community

Falolu Olaitan
Falolu Olaitan

Posted on

How to Automate Azure App Service IP Whitelisting with Azure DevOps Pipeline

#azure #appservivice #networking

Image description

If you’re managing IP restrictions for an Azure App Service, you’ve likely encountered the need to add, update, or remove IP addresses for access control. Doing this manually can be cumbersome and prone to errors, especially when dealing with multiple environments or services. By using an Azure DevOps (ADO) pipeline, you can automate IP whitelisting, ensuring that changes are applied consistently.

In this guide, I’ll walk you through using the Azure CLI in an Azure DevOps pipeline to manage IP restrictions dynamically. We’ll set up a pipeline that:

Accepts an IP address and rule name as parameters.
Checks if an existing IP restriction with the specified name already exists. Deletes the existing rule if found and adds the new IP restriction with a specified priority. let's dive in!

Prerequisites
Before we get started, make sure you have:

  1. Azure CLI installed on your DevOps agent.
  2. Azure Service Connection in ADO, allowing access to your Azure subscription.
  3. Resource Group and App Service name where you plan to implement IP restrictions.

Step 1: Understanding the Azure CLI Commands
The Azure CLI provides straightforward commands for managing access restrictions. Here’s a quick breakdown:

Add an IP Restriction
This command adds an IP address to the list of allowed addresses for your app service, specifying a priority to manage the order of rules.

az webapp config access-restriction add \
--resource-group <RESOURCE_GROUP> \
--name <APP_SERVICE_NAME> \
--rule-name <RULE_NAME> \
--ip-address <IP_ADDRESS> \
--priority <PRIORITY> \
--action Allow
Enter fullscreen mode Exit fullscreen mode

Remove an IP Restriction by Name
This command deletes an IP restriction by referencing the rule name.

az webapp config access-restriction remove \
--resource-group <RESOURCE_GROUP> \
--name <APP_SERVICE_NAME> \
--rule-name <RULE_NAME>
Enter fullscreen mode Exit fullscreen mode

Step 2: Setting Up the Azure DevOps Pipeline
Now, we’ll create an ADO pipeline that uses these CLI commands. This pipeline will take three parameters: ruleName, ipAddress, and priority. If a rule with the specified name already exists, it will be deleted before adding the new IP restriction.

Here’s the complete YAML file for the pipeline:

trigger: none

parameters:
- name: ruleName
displayName: 'Name of the IP Rule'
type: string
default: ''
- name: ipAddress
displayName: 'IP Address to Allow'
type: string
default: ''
- name: priority
displayName: 'Priority of the Rule'
type: number # Corrected type from 'int' to 'number'
default: 100

jobs:
- job: ManageAppServiceIP
displayName: 'Manage App Service IP Whitelisting'
pool:
vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
displayName: 'Check and Update IP Restriction on App Service'
inputs:
azureSubscription: '<YOUR_AZURE_SERVICE_CONNECTION>'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
# Define variables
RESOURCE_GROUP="<RESOURCE_GROUP>"
APP_SERVICE_NAME="<APP_SERVICE_NAME>"
RULE_NAME="${{ parameters.ruleName }}"
IP_ADDRESS="${{ parameters.ipAddress }}"
PRIORITY="${{ parameters.priority }}"

echo "Checking if IP restriction rule exists for ${RULE_NAME}..."

# Check if the IP rule with the specified name already exists
EXISTING_RULE=$(az webapp config access-restriction show \
--resource-group $RESOURCE_GROUP \
--name $APP_SERVICE_NAME \
--query "ipSecurityRestrictions[?name=='$RULE_NAME']" \
-o tsv)

# If rule exists, delete it
if [[ -n "$EXISTING_RULE" ]]; then
echo "Rule ${RULE_NAME} exists. Deleting existing rule..."
az webapp config access-restriction remove \
--resource-group $RESOURCE_GROUP \
--name $APP_SERVICE_NAME \
--rule-name $RULE_NAME
echo "Existing rule ${RULE_NAME} deleted."
else
echo "No existing rule found for ${RULE_NAME}. Adding new rule."
fi

# Add the new IP restriction with priority
echo "Adding IP restriction for ${IP_ADDRESS} with name ${RULE_NAME} and priority ${PRIORITY}..."
az webapp config access-restriction add \
--resource-group $RESOURCE_GROUP \
--name $APP_SERVICE_NAME \
--rule-name $RULE_NAME \
--ip-address $IP_ADDRESS \
--priority $PRIORITY \
--action Allow
echo "IP restriction rule ${RULE_NAME} added successfully with priority ${PRIORITY}."
Enter fullscreen mode Exit fullscreen mode

Step 3: Fixing YAML Errors in ADO
When working with YAML files in ADO, you may encounter validation errors. For example, if you receive an error like String does not match the pattern of “^boolean$”, it could indicate a type mismatch.

In our case, the type of priority was initially set to int, which Azure DevOps expects as number. Changing it from int to number resolved the error:

- name: priority
displayName: 'Priority of the Rule'
type: number # Set type to 'number' instead of 'int'
default: 100
Enter fullscreen mode Exit fullscreen mode

Conclusion
Automating IP whitelisting for an Azure App Service saves time and reduces human error. By using an ADO pipeline, you ensure that IP restriction rules are managed consistently across environments. This setup is flexible, allowing you to update IP restrictions simply by providing new inputs when running the pipeline.

Tip: Consider adding notifications or approval steps in ADO if you’re managing critical IP whitelisting to prevent accidental overrides.
Happy automating!

Top comments (0)