Azure 应用服务访问限制Azure App Service access restrictions

使用访问限制可以定义一个按优先级排序的允许/拒绝列表,用于控制在网络中对应用的访问。Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. 该列表可以包含 IP 地址或 Azure 虚拟网络子网。The list can include IP addresses or Azure Virtual Network subnets. 如果存在一个或多个条目,则在列表末尾会存在一个隐式的“拒绝所有”。When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.

访问限制功能适用于所有应用服务托管工作负载,包括 Web 应用、API 应用、Linux 应用、Linux 容器应用和 Functions。The access restrictions capability works with all App Service hosted work loads including; web apps, API apps, Linux apps, Linux container apps, and Functions.

向应用发出请求时,将会根据访问限制列表中的 IP 地址规则评估 FROM IP 地址。When a request is made to your app, the FROM address is evaluated against the IP address rules in your access restrictions list. 如果列表中的规则不允许访问该地址,则服务会以“HTTP 403”状态代码进行答复。If the address is not allowed access based on the rules in the list, the service replies with an HTTP 403 status code.

访问限制功能是在应用服务前端角色(即代码运行所在的辅助角色主机中的上游)中实现的。The access restrictions capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. 因此,访问限制是有效的网络 ACL。Therefore, access restrictions are effectively network ACLs.

如果处于应用服务环境中,则可以使用 IP 地址规则控制对应用的访问。If you are in an App Service Environment, you can control access to your app with IP address rules.

访问限制流

在门户中添加并编辑访问限制规则Adding and editing access restriction rules in the portal

若要向应用添加访问限制规则,请使用菜单打开“网络”>“访问限制”,然后单击“配置访问限制” To add an access restriction rule to your app, use the menu to open Network>Access Restrictions and click on Configure Access Restrictions

应用服务网络选项

从访问限制 UI 可以查看为应用定义的访问限制规则列表。From the Access Restrictions UI, you can review the list of access restriction rules defined for your app.

Azure 门户中“访问限制”屏幕的屏幕截图,显示为所选应用定义的访问限制规则列表。

该列表将显示应用中的所有当前限制。The list will show all of the current restrictions that are on your app. 如果应用中未定义限制,则可以从任何位置访问应用。When there are no defined restrictions on your app, your app will be accessible from anywhere.

添加 IP 地址规则Adding IP address rules

可单击“[+] 添加规则”以添加新的访问限制规则 。You can click on [+] Add rule to add a new access restriction rule. 规则在添加后会立即生效。Once you add a rule, it will become effective immediately. 规则会从最小的数字开始往上,按优先级顺序强制执行。Rules are enforced in priority order starting from the lowest number and going up. 即使仅添加了一个规则,一个隐式的“拒绝所有”也会立即生效。There is an implicit deny all that is in effect once you add even a single rule.

创建规则时,必须选择“允许/拒绝”以及规则的类型。When creating a rule, you must select allow/deny and also the type of rule. 此时,需要提供优先级值,以及要限制访问的内容。You are also required to provide the priority value and what you are restricting access to. 可以选择性地添加规则的名称和说明。You can optionally add a name, and description to the rule.

添加 IP 访问限制规则

若要设置基于 IP 地址的规则,请选择 IPv4 或 IPv6 类型。To set an IP address based rule, select a type of IPv4 or IPv6. 对于 IPv4 和 IPv6 地址,必须在 CIDR 表示法中指定 IP 地址表示法。IP Address notation must be specified in CIDR notation for both IPv4 and IPv6 addresses. 若要指定确切的地址,可以使用类似 1.2.3.4/32 的格式,其中前四个八位字节代表自己的 IP 地址,/32 为掩码。To specify an exact address, you can use something like 1.2.3.4/32 where the first four octets represent your IP address and /32 is the mask. 所有地址的 IPv4 CIDR 表示法都为 0.0.0.0/0。The IPv4 CIDR notation for all addresses is 0.0.0.0/0. 要详细了解 CIDR 表示法,请阅读“无类别域间路由”。To learn more about CIDR notation, you can read Classless Inter-Domain Routing.

管理访问限制规则Managing access restriction rules

单击任一行,可编辑现有访问限制规则。You can click on any row to edit an existing access restriction rule. 编辑的内容会立即生效,包括在优先级排序方面的变化。Edits are effective immediately including changes in priority ordering.

Azure 门户中“编辑 IP 限制”对话框的屏幕截图,显示现有访问限制规则的字段。

若要删除某个规则,请单击规则上的“...”然后单击“删除” 。To delete a rule, click the ... on your rule and then click Remove .

删除访问限制规则

阻止单个 IP 地址Blocking a single IP address

添加第一个 IP 限制规则时,服务将添加优先级为 2147483647 的显式“全部拒绝” 规则。When adding your first IP Restriction rule, the service will add an explicit Deny all rule with a priority of 2147483647. 实际上,显式“全部拒绝” 规则将是最后执行的规则,并将阻止访问使用“允许” 规则未明确允许的任何 IP 地址。In practice, the explicit Deny all rule will be last rule executed and will block access to any IP address that is not explicitly allowed using an Allow rule.

如果用户希望显式阻止单个 IP 地址或 IP 地址块,但允许所有其他访问,则有必要添加一个显式的“全部允许” 规则。For the scenario where users want to explicitly block a single IP address or IP address block, but allow everything else access, it is necessary to add an explicit Allow All rule.

阻止单个 IP 地址

SCM 站点SCM site

除了能够控制对应用的访问以外,还可以限制对应用所用的 scm 站点的访问。In addition to being able to control access to your app, you can also restrict access to the scm site used by your app. scm 站点是 Web 部署终结点,也是 Kudu 控制台。The scm site is the web deploy endpoint and also the Kudu console. 对于 scm 站点,可以分配不同于应用的访问限制;也可以对应用和 scm 站点使用相同的设置。You can separately assign access restrictions to the scm site from the app or use the same set for both the app and the scm site. 选中相应的框来使用与应用相同的限制时,所有设置都会留空。如果取消选中该框,将应用前面针对 scm 站点指定的所有设置。When you check the box to have the same restrictions as your app, everything is blanked out. If you uncheck the box, whatever settings you had earlier on the scm site are applied.

Azure 门户中“访问限制”屏幕的屏幕截图,显示没有为 scm 站点或应用设置访问限制。

访问限制规则的编程操作Programmatic manipulation of access restriction rules

Azure CLIAzure PowerShell 允许编辑访问限制。Azure CLI and Azure PowerShell has support for editing access restrictions. 使用 Azure CLI 添加访问限制的示例:Example of adding an access restriction using Azure CLI:

az webapp config access-restriction add --resource-group ResourceGroup --name AppName \
    --rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100

使用 Azure PowerShell 添加访问限制的示例:Example of adding an access restriction using Azure PowerShell:

Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName"
    -Name "Ip example rule" -Priority 100 -Action Allow -IpAddress 122.133.144.0/24

还可以手动设置值,只需使用资源管理器中应用配置上的 Azure REST API PUT 操作,或使用 Azure 资源管理器模板。Values can also be set manually with an Azure REST API PUT operation on the app configuration in Resource Manager or using an Azure Resource Manager template.

此信息在资源管理器中的位置为:The location for this information in Resource Manager is:

management.chinacloudapi.cn/subscriptions/ subscription ID /resourceGroups/ resource groups /providers/Microsoft.Web/sites/ web app name /config/web?api-version=2018-02-01management.chinacloudapi.cn/subscriptions/ subscription ID /resourceGroups/ resource groups /providers/Microsoft.Web/sites/ web app name /config/web?api-version=2018-02-01

前面的示例的 JSON 语法为:The JSON syntax for the earlier example is:

{
  "properties": {
    "ipSecurityRestrictions": [
      {
        "ipAddress": "122.133.144.0/24",
        "action": "Allow",
        "priority": 100,
        "name": "IP example rule"
      }
    ]
  }
}

Azure Functions 访问限制Azure Functions access restrictions

访问限制也适用于与应用服务计划具有相同功能的函数应用。Access restrictions are also available for function apps with the same functionality as App Service plans. 启用访问限制会针对任何不允许的 IP 禁用门户代码编辑器。Enabling access restrictions will disable the portal code editor for any disallowed IPs.

后续步骤Next steps

Azure Functions 的访问限制Access restrictions for Azure Functions

应用程序网关与服务终结点的集成Application Gateway integration with service endpoints