You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/overview-access-restrictions.md
+51-2Lines changed: 51 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,11 +21,60 @@ If the traffic is sent through the default endpoint (often a public endpoint), t
21
21
22
22
## App access
23
23
24
-
If the setting has never been configured, the default behavior is to enable access unless a private endpoint exists after which it will be disabled. You have the ability to explicitly configure this behavior.
25
-
24
+
App access allows you to configure if access is available thought the default (public) endpoint. If the setting has never been configured, the default behavior is to enable access unless a private endpoint exists after which it will be implicitly disabled. You have the ability to explicitly configure this behavior to either enabled or disabled even if private endpoints exist.
26
25
27
26
## Site access
28
27
28
+
Site access restrictions let you filter the incoming requests. Site access restrictions allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature in Azure networking. You can also configure the behavior when no rules are matched (the default action). If the setting has never been configured, the unmatched rule behavior is to allow all access unless one or more rules exists after which it will be implicitly changed to deny all access. You can explicitly configure this behavior to either allow or deny access regardless of defined rules.
29
+
30
+
Site access restriction has several types of rules that you can apply:
31
+
32
+
### IP-based restriction rules
33
+
34
+
The IP-based access restrictions feature helps when you want to restrict the IP addresses that can be used to reach your app. Both IPv4 and IPv6 are supported. Some use cases for this feature:
35
+
* Restrict access to your app from a set of well-defined addresses.
36
+
* Restrict access to traffic coming through an external load-balancing service or other network appliances with known egress IP addresses.
37
+
38
+
To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].
39
+
40
+
> [!NOTE]
41
+
> IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multi-tenant service, you need to use [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) to restrict traffic to select subnets in your virtual network.
42
+
43
+
### Restriction rules based on service endpoints
44
+
45
+
Service endpoints allow you to lock down *inbound* access to your app so that the source address must come from a set of subnets that you select. This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. If you want to use remote debugging with your app, your client can't be in a subnet that has service endpoints enabled. The process for setting service endpoints is similar to the process for setting IP access restrictions. You can build an allow/deny list of access rules that includes public addresses and subnets in your virtual networks.
46
+
47
+
> [!NOTE]
48
+
> Access restriction rules based on service endpoints are not supported on apps that use IP-based SSL ([App-assigned address](#app-assigned-address)).
49
+
50
+
Some use cases for this feature:
51
+
52
+
* Set up an application gateway with your app to lock down inbound traffic to your app.
53
+
* Restrict access to your app to resources in your virtual network. These resources can include VMs, ASEs, or even other apps that use virtual network integration.
54
+
55
+
56
+
57
+
To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions][serviceendpoints].
58
+
59
+
### Restriction rules based on service tags
60
+
61
+
[Azure service tags][servicetags] are well defined sets of IP addresses for Azure services. Service tags group the IP ranges used in various Azure services and is often also further scoped to specific regions. This allows you to filter *inbound* traffic from specific Azure services.
62
+
63
+
For a full list of tags and more information, visit the service tag link above.
64
+
To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].
65
+
66
+
#### Http header filtering for site access restriction rules
67
+
68
+
For each rule, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to eight values per rule. The following list of http headers is currently supported:
69
+
* X-Forwarded-For
70
+
* X-Forwarded-Host
71
+
* X-Azure-FDID
72
+
* X-FD-HealthProbe
73
+
74
+
Some use cases for http header filtering are:
75
+
* Restrict access to traffic from proxy servers forwarding the host name
76
+
* Restrict access to a specific Azure Front Door instance with a service tag rule and X-Azure-FDID header restriction
0 commit comments