Dynamic IP Restriction for App Services
Published Feb 04 2020 09:35 AM 11.2K Views
Microsoft

Azure App Services has an interesting feature, "Dynamic IP Restriction" which can be used for protection against attacks such as Distributed Denial of Service.

Restrictions can be imposed on the App Service, to deny access based on

  • The number of concurrent requests made.
  • The number of requests made in certain interval of time.

These settings can be configured either in the application web.config or applicationHost.xdt of the Azure App Service.

The Site Extension "Dynamic IP restriction for App Services" provides an User Interface to update the settings.


Steps to install the site extension:

  1. Navigate to the "Site Extensions" tab from the Kudu site of the App Service.
    clipboard_image_1.png
  2. Choose Gallery and search for "Dynamic"
    clipboard_image_0.png
  3. Click on "+" icon to install the extension.
    clipboard_image_1.png
  4. Restart the App Service post installation of the extension.
    clipboard_image_5.png

The following tags should be added in the <security> tag of the web.config file to setup Dynamic IP restriction

  • Based on the number of concurrent requests:
    • Configuration:
      <system.webServer> 
          <security> 
              <dynamicIpSecurity denyAction="Forbidden"> 
                  <denyByConcurrentRequests enabled="true" maxConcurrentRequests="5" /> 
              </dynamicIpSecurity > 
          </security> 
      </system.webServer>
    • User Interface :
       
       
       
       
      clipboard_image_27.png
  • Based on the number of requests received, in a specific interval of time:
    • Configuration:
      <system.webServer> 
          <security>
              <dynamicIpSecurity denyAction="Forbidden"> 
                  <denyByRequestRate enabled="true" maxRequests="2" requestIntervalInMilliseconds="200"/> 
              </dynamicIpSecurity >
          </security> 
      </system.webServer>
      
    • User Interface :
      clipboard_image_28.png

The error returned when the access to the App Service is restricted can be customized using the denyAction attribute of the dynamicIpSecurity element.

The following values can be set:

  • AbortRequest : returns HTTP status code 0
  • Unauthorized : returns HTTP status code 401
  • Forbidden       : returns HTTP status code 403 (default setting)
  • NotFound       : returns HTTP status code 404

clipboard_image_29.png

Please note that the sub-status code for the request will be 502 if the request goes through Dynamic IP restrictions.

Example :

 

<system.webServer> 
    <security>
        <dynamicIpSecurity denyAction="NotFound"> 
            <denyByRequestRate enabled="true" maxRequests="2" requestIntervalInMilliseconds="20"/> 
        </dynamicIpSecurity > 
    </security> 
</system.webServer>

 

clipboard_image_30.png

When the above snippet is used, and the App Service receives more than 2 requests from the same IP address in an interval of 20 milliseconds, we receive the response HTTP 404 “Not found”

clipboard_image_32.png

From Webserver Logs, we can see that the sub-status code is 502

clipboard_image_33.png

It is also possible to just monitor the request without actually performing the action on the request.

To achieve this set enableLoggingOnlyMode to True , in dynamicIpSecurity element.

 

<system.webServer> 
    <security> 
        <dynamicIpSecurity enableLoggingOnlyMode="true" > 
            <denyByRequestRate enabled="true" maxRequests="2" requestIntervalInMilliseconds="10000"/> 
        </dynamicIpSecurity >
    </security> 
</system.webServer>

 

clipboard_image_34.png

We observe that the status and sub-status code for the requests as HTTP 200.502

clipboard_image_35.png

Note:

  • The Site Extension considers the Dynamic IP Restrictions configured in web.config file and applicationHost.xdt file.
  • The changes made through the User Interface are reflected in applicationHost.xdt file only and would require a restart of the App Service.
1 Comment
Version history
Last update:
‎Aug 24 2020 12:39 PM
Updated by: