Note: This will not work with a Blazor Client app because the call to the web api will be from the browser of the client.

By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit deny all exists at the end of the list.

When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list. If the FROM address is in a subnet that’s configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access restriction list. If the address isn’t allowed access based on the rules in the list, the service replies with an HTTP 403 status code.

The access restriction capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. Therefore, access restrictions are effectively network access-control lists (ACLs).

The ability to restrict access to your web app from an Azure virtual network is enabled by service endpoints. With service endpoints, you can restrict access to a multi-tenant service from selected subnets. It doesn’t work to restrict traffic to apps that are hosted in an App Service Environment. If you’re in an App Service Environment, you can control access to your app by applying IP address rules.

Manage access restriction rules in the portal

To add an access restriction rule to your app, do the following:

  1. Sign in to the Azure portal.
  2. On the left pane, select Networking.
  3. On the Networking pane, under Access Restrictions, select Configure Access Restrictions.
  4. On the Access Restrictions page, review the list of access restriction rules that are defined for your app.The list displays all the current restrictions that are applied to the app. If you have a virtual network restriction on your app, the table shows whether the service endpoints are enabled for Microsoft.Web. If no restrictions are defined on your app, the app is accessible from anywhere.

Add an access restriction rule

To add an access restriction rule to your app, on the Access Restrictions pane, select Add rule. After you add a rule, it becomes effective immediately.

Rules are enforced in priority order, starting from the lowest number in the Priority column. An implicit deny all is in effect after you add even a single rule.

On the Add Access Restriction pane, when you create a rule, do the following:

  1. Under Action, select either Allow or Deny.
  2. Optionally, enter a name and description of the rule.
  3. In the Priority box, enter a priority value.
  4. In the Type drop-down list, select the type of rule.

The different types of rules are described in the following sections.

Set an IP address-based rule

Follow the procedure as outlined in the preceding section, but with the following addition:

  • For step 4, in the Type drop-down list, select IPv4 or IPv6.

Specify the IP Address Block in Classless Inter-Domain Routing (CIDR) notation for both the IPv4 and IPv6 addresses. To specify an address, you can use something like, where the first four octets represent your IP address and /32 is the mask. The IPv4 CIDR notation for all addresses is To learn more about CIDR notation, see Classless Inter-Domain Routing.


Last modified: May 22, 2021



Write a Reply or Comment