Skip to content
Mike Evans-Larah By Mike Evans-Larah Software Engineer III
Restrict access to Azure Websites by accept-listing

By utilising the IP and Domain Restrictions feature in IIS (available since IIS7), it is possible to lock down your Azure Website to only allow access to IP addresses and domains that you have specified in an accept-list.

To allow a single IPv4 address, add the following node to your web.config:

Discover your Power BI Maturity Score by taking our FREE 5 minute quiz.

To allow access from a domain, you must enable reverse DNS lookup:

Be aware though that enabling the reverse DNS lookup will slow down requests and use up more resources, so is not recommended for production sites.

The Introduction to Rx.NET 2nd Edition (2024) Book, by Ian Griffiths & Lee Campbell, is now available to download for FREE.

It is also possible to use the IP security configuration to blacklist specific IP addresses/domains by setting the 'allowed' attribute to 'false'. See the iis.net documentation for a full list of available options.

Another thing to note is that if you try running the website locally with any of these configurations, you may see the following error:

"This configuration section cannot be used at this path. This happens when the section is locked at a parent level"

If you only require the whitelisting when deployed, then you can get around this by adding the configuration to the web.config.release transformation file instead of the web.config. This way the configuration will not be included when running locally in debug mode, but will automatically be added to the release configuration when deploying to Azure Websites.

@MikeLarah

Mike Evans-Larah

Software Engineer III

Mike Evans-Larah

Mike is a Software Engineer at endjin with over a decade of experience in solving business problems with technology. He has worked on a wide range of projects for clients across industries such as financial services, recruitment, and retail, with a strong focus on Azure technologies.