Geeks With Blogs
Confessions of an Evangelist

An interesting question today about securing Cloud Services in Windows Azure. Basically how do we restrict who has access to our service? The confusion comes from a couple types of endpoints available in the Service Definition. InputEndpoints are publically visible and may be load balanced. InternalEndpoints are hosted on the 10.x.x.x subnet and are visible to other roles in our service definition.

To restrict by IP address requires that we add a Startup section to the Service definition file to unlock the ipSecurity section of the Web.config file and then add the address we want to restrict or allow. When the service deploys and starts up it will run the cmd file. Inside the cmd file (startup.cmd) we’d add script with 2 commands like this:

UPDATE: added the PowerShell command to add the feature to IIS

    PowerShell Install-WindowsFeature –Name Web-IP-Security
    %windir%\system32\inetsrv\AppCmd.exe unlock config /section:system.webServer/security/ipSecurity

Add it to our project and mark the file to copy always during deployments (in the properties of the file). Then in the service definition file for the Cloud Service add a Startup Task to run the cmd file in an elevated mode:

   <Task commandLine=”startup\startup.cmdexecutionContext=”elevated/>

Then in the web.config file add a section to the system.webServer that opens up the IP’s we want to allow.

    <!—Unlisted IP addresses are denied access–>
        <ipSecurity allowUnlisted=”false>
            <!—The following IP addresses are granted access–>
            <add allowed=”trueipAddress=””>
            <add allowed=”trueipAddress=””>

Alternately we could use InternalEndpoints if the communications will be only between roles in our service.


Posted on Monday, August 26, 2013 4:15 PM | Back to top

Copyright © Mike Benkovich | Powered by: