You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/overview-access-restrictions.md
+14-12Lines changed: 14 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,9 +23,15 @@ If the traffic is sent through the default endpoint (often a public endpoint), t
23
23
24
24
App access allows you to configure if access is available thought the default (public) endpoint. If the setting has never been configured, the default behavior is to enable access unless a private endpoint exists after which it will be implicitly disabled. You have the ability to explicitly configure this behavior to either enabled or disabled even if private endpoints exist.
25
25
26
+
:::image type="content" source="media/overview-access-restrictions/app-access-portal.png" alt-text="Screenshot of app access option in Azure portal":::
27
+
26
28
## Site access
27
29
28
-
Site access restrictions let you filter the incoming requests. Site access restrictions allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature in Azure networking. Site access restriction has several types of rules that you can apply:
30
+
Site access restrictions let you filter the incoming requests. Site access restrictions allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature in Azure networking.
31
+
32
+
:::image type="content" source="media/overview-access-restrictions/site-access-portal.png" alt-text="Screenshot of site access options in Azure portal":::
33
+
34
+
Site access restriction has several types of rules that you can apply:
29
35
30
36
### Unmatched rule
31
37
@@ -52,30 +58,26 @@ Service endpoints allow you to lock down *inbound* access to your app so that th
52
58
53
59
To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions](../virtual-network/virtual-network-service-endpoints-overview.md).
54
60
61
+
#### Any service endpoint source
62
+
63
+
For testing or in very specific scenarios, you may want to allow traffic from any service endpoint enabled subnet. You can do that by defining an IP-based rule with the text "AnyVnets" instead of an IP range. You cannot create these rules in the portal, but you can modify an existing IP-based rule and replace the IP address with the "AnyVnets" string.
64
+
55
65
### Access restriction rules based on service tags
56
66
57
67
[Azure service tags](../virtual-network/service-tags-overview.md) are well defined sets of IP addresses for Azure services. Service tags group the IP ranges used in various Azure services and is often also further scoped to specific regions. This allows you to filter *inbound* traffic from specific Azure services.
58
68
59
69
For a full list of tags and more information, visit the service tag link above.
60
70
To learn how to enable this feature, see [Configuring access restrictions](./app-service-ip-restrictions.md).
61
71
62
-
### Advanced access restriction rule types
63
-
64
-
These rule types solves a few very specific use cases.
65
-
66
-
#### Any service endpoint source
67
-
68
-
For testing or in very specific scenarios, you may want to allow traffic from any service endpoint enabled subnet. You can do that by defining an IP-based rule with the text "AnyVnets" instead of an IP range. You cannot create these rules in the portal, but you can modify an existing IP-based rule and replace the IP address with the "AnyVnets" string.
69
-
70
-
#### Multi-source rules
72
+
### Multi-source rules
71
73
72
74
Multi-source rules allow you to combine up to eight IP ranges or eight Service Tags in a single rule. You might use this if you have more than 512 IP ranges or you want to create logical rules where multiple IP ranges are combined with a single http header filter.
73
75
74
76
Multi-source rules are defined the same way you define single-source rules, but with each range separated with comma.
75
77
76
78
You cannot create these rules in the portal, but you can modify an existing service tag or IP-based rule and add additional sources to the rule.
77
79
78
-
####Http header filtering for site access restriction rules
80
+
### Http header filtering for site access restriction rules
79
81
80
82
For any rule, regardless of type, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to eight values per rule. The following lists the supported http headers:
81
83
@@ -90,7 +92,7 @@ Some use cases for http header filtering are:
90
92
91
93
## Advanced use cases
92
94
93
-
A few use cases are worth pointing out.
95
+
Combining the above features allow you to solve some specific use cases that are described in the following sections.
0 commit comments