Web App Service networking field-manual-complete field-manual-complete

App Service access restriction

App Service access restriction is the rule list that decides which inbound clients are allowed to reach a web app before the request reaches your code. It is useful when an app should only accept traffic from Front Door, Application Gateway, a corporate IP range, a build agent, or a VNet subnet. It is not user authentication and it does not replace private endpoints or WAF. It is a practical first gate for reducing accidental public exposure on App Service apps and SCM/Kudu endpoints.

Back to glossary browser Open Microsoft Learn source
Aliases
access restriction, app service access restriction
Difficulty
intermediate
CLI mappings
5
Last verified
2026-05-30

Microsoft Learn

Microsoft Learn describes App Service access restrictions as inbound filtering rules for an app. The rules work like an App Service firewall, using priority-ordered allow or deny entries for IP ranges, service tags, headers, or virtual network subnets before requests reach application code.

Microsoft Learn: Azure App Service access restrictions2026-05-30

Technical context

Technically, access restrictions are part of the App Service site configuration. Rules are evaluated by priority for the main site and, separately or together, for the SCM/Kudu site. A rule can allow or deny traffic by IP range, service tag, virtual network subnet with service endpoints, or supported headers. When rules exist, unmatched public traffic is denied by the implicit final rule. Access restrictions apply to inbound public endpoints; traffic arriving through a private endpoint follows private endpoint behavior instead.

Why it matters

Access restrictions matter because many App Service apps are reachable from the public internet by default even when their intended callers are narrow. A partner API, internal admin portal, staging slot, webhook receiver, or deployment endpoint may not need open inbound access. Correct restrictions reduce scanning noise, block accidental callers, protect SCM/Kudu, and force traffic through approved inspection paths such as Front Door or Application Gateway. The feature also matters during incidents: operators can quickly narrow inbound sources without redeploying code. Misconfigured rules, however, can block health probes, release pipelines, partner callbacks, or support access, so every rule needs an owner and test path.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the App Service portal, access restrictions appear under Networking, showing rule names, priorities, actions, IP ranges, service tags, headers, and SCM settings for review.

Signal 02

In Azure CLI output, access restrictions appear as arrays of ipSecurityRestrictions and scmIpSecurityRestrictions with priority, action, tag, name, and description fields for each reviewed rule.

Signal 03

In incidents and logs, misconfigured restrictions often surface as sudden HTTP 403 responses from expected clients, probes, webhooks, build agents, or upstream gateways during troubleshooting.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Force an App Service app to accept traffic only from Azure Front Door, Application Gateway, or another approved ingress layer.
  • Limit staging slots, admin tools, partner APIs, or internal dashboards to corporate IP ranges or approved build agents.
  • Protect the SCM/Kudu deployment endpoint separately so public application access does not imply public deployment access.
  • Apply a fast incident containment rule that narrows inbound sources while engineers investigate suspicious traffic.
  • Validate migration from public exposure toward private endpoint or proxy-based ingress without breaking legitimate callers.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Front Door-only SaaS onboarding API

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A subscription billing SaaS exposed a customer onboarding API directly on App Service while also routing normal traffic through Azure Front Door with WAF. Security testing showed scanners could still hit the origin hostname.

Business/Technical Objectives
  • Block direct public access to the App Service origin endpoint.
  • Preserve Front Door health probes and customer onboarding traffic.
  • Protect the SCM endpoint from unmanaged internet access.
  • Produce clear evidence for enterprise customer security reviews.
Solution Using App Service access restriction

Engineers redesigned ingress around App Service access restriction rules. The app allowed Azure Front Door backend traffic with a validated header condition and denied unmatched public callers through the implicit final rule. SCM restrictions were configured separately for the release pipeline and a small operations subnet. The team exported the rule list with Azure CLI before and after the change, then tested direct origin access, Front Door access, deployment, and health probes. WAF remained responsible for request inspection, while access restrictions ensured the origin was no longer a bypass path around the approved edge.

Results & Business Impact
  • Direct origin scans dropped from thousands of daily hits to denied 403 responses within one hour.
  • Front Door health probes stayed green across all production regions after rollout.
  • SCM access was limited to two managed pipeline sources and one break-glass subnet.
  • Security questionnaire response time for origin-protection evidence fell from two days to thirty minutes.
Key Takeaway for Glossary Readers

Access restrictions are a practical way to make an App Service origin trust only the intended ingress layer.

Case study 02

Construction bid portal staging lockdown

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A construction management firm used deployment slots for a bid portal, but staging URLs were searchable and occasionally shared with subcontractors before estimates were finalized. A mistaken staging visit exposed draft project numbers.

Business/Technical Objectives
  • Restrict staging slot access to corporate offices and approved QA agents.
  • Keep production bidding traffic unaffected during slot testing.
  • Prevent SCM access from being broader than the staging application endpoint.
  • Create a repeatable pre-swap access validation checklist.
Solution Using App Service access restriction

The platform owner applied App Service access restriction rules to the staging slot only. Corporate egress CIDRs and the QA automation subnet were allowed with explicit priorities, while other public traffic hit the implicit deny. The SCM site used the same restrictions so deployment credentials did not become an alternate path. Azure CLI commands exported slot-specific rules into the release checklist, and QA tests verified allowed and denied access before every swap. Production kept its existing public ingress through Application Gateway, avoiding unnecessary change to active bidder traffic.

Results & Business Impact
  • Unauthorized staging visits fell to zero in the next two bid cycles.
  • Pre-swap validation time increased by only seven minutes because the checks were scripted.
  • The next slot swap completed without changing production access rules.
  • Internal audit accepted the slot-specific rule export as evidence for controlled pre-release access.
Key Takeaway for Glossary Readers

Access restrictions can protect staging and SCM surfaces without forcing a risky redesign of production ingress.

Case study 03

Donation platform incident containment

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A nonprofit donation platform saw a burst of suspicious POST traffic against an App Service endpoint during a televised campaign. The team needed to reduce exposure without breaking the payment provider callback path.

Business/Technical Objectives
  • Narrow inbound traffic within fifteen minutes of incident declaration.
  • Keep payment provider callbacks and campaign landing pages online.
  • Capture evidence for the post-incident security review.
  • Remove temporary exceptions after traffic returned to normal.
Solution Using App Service access restriction

Responders used App Service access restriction rules as a containment lever. They listed existing rules, added a temporary deny for the offending CIDR range, and allowed the known payment provider source with higher priority. They tested the campaign page through the CDN and verified the callback URL from the provider sandbox. CLI output was saved with timestamps in the incident record. After the campaign window, the team removed the temporary rule, added an owner and expiry requirement to the runbook, and moved longer-term bot protection work to the edge WAF backlog.

Results & Business Impact
  • Suspicious POST traffic reaching application code dropped 93 percent during the incident window.
  • Donation completion rate stayed above 98 percent while containment was active.
  • Evidence collection required four commands instead of manual portal screenshots.
  • No emergency allow or deny rule remained after the next-day cleanup review.
Key Takeaway for Glossary Readers

Access restrictions are valuable when administrative App Service apps need a practical network boundary during fast-moving incidents.

Why use Azure CLI for this?

After years of App Service operations, I use Azure CLI for access restrictions because rule order, SCM behavior, and slot differences are easy to miss in the portal. CLI lets me list the exact rule set, capture priorities, add a temporary deny or allow rule, and compare production with staging before traffic moves. During incidents, I can run the same command from a runbook instead of hunting through blades. For audits, JSON output proves which IP ranges, service tags, and subnets were allowed at a point in time. That evidence is much stronger than a screenshot and easier to review.

CLI use cases

  • List the current main-site and SCM access restriction rules before a release, audit, or incident response change.
  • Add a priority-ordered allow rule for a corporate CIDR, service tag, Front Door header condition, or VNet subnet.
  • Remove expired emergency rules and export the cleaned rule set as evidence for security review.
  • Compare production and staging slots to catch drift before a slot swap exposes or blocks traffic unexpectedly.
  • Set SCM restrictions deliberately so deployment endpoints follow the same or a stricter access model.

Before you run CLI

  • Confirm tenant, subscription, resource group, app name, and slot because similar App Service names often exist across environments.
  • Identify the caller source: IP range, service tag, subnet, proxy header, Front Door ID, health probe, or deployment agent path.
  • Check current priorities first; a lower numeric priority is evaluated earlier and can override the rule you intend to add.
  • Decide whether the change affects the main site, the SCM site, or both, and prepare a rollback command.
  • Treat deny or remove operations as outage-risk changes and test from allowed and denied networks immediately afterward.

What output tells you

  • Rule names, priorities, actions, and source values show which clients are allowed or denied and in what order.
  • scmIpSecurityRestrictions fields reveal whether the deployment endpoint is protected separately or mirrors the main app.
  • Unmatched traffic behavior explains why adding one rule can create an implicit deny for other public callers.
  • Service tag, subnet, and header properties show whether the app expects traffic from a proxy, VNet, or direct IP range.
  • A 403 after a rule change usually means the request did reach App Service but failed the ingress filter.

Mapped Azure CLI commands

App Service access restriction CLI commands

direct-or-adjacent
az webapp config access-restriction show --name <app-name> --resource-group <resource-group>
az webapp config access-restrictiondiscoverWeb
read-only Microsoft docs
az webapp config access-restriction add --name <app-name> --resource-group <resource-group> --rule-name <rule-name> --action Allow --ip-address <cidr> --priority <priority>
az webapp config access-restrictionconfigureWeb
mutating Microsoft docs
az webapp config access-restriction add --name <app-name> --resource-group <resource-group> --rule-name <rule-name> --action Allow --service-tag AzureFrontDoor.Backend --priority <priority>
az webapp config access-restrictionconfigureWeb
mutating Microsoft docs
az webapp config access-restriction remove --name <app-name> --resource-group <resource-group> --rule-name <rule-name>
az webapp config access-restrictionremoveWeb
mutating Microsoft docs
az webapp config access-restriction set --name <app-name> --resource-group <resource-group> --use-same-restrictions-for-scm-site true
az webapp config access-restrictionconfigureWeb
mutating Microsoft docs

Architecture context

Architecturally, App Service access restriction sits at the application ingress boundary. I use it as one layer in a broader design that may include custom domains, TLS, Front Door, WAF, private endpoints, managed identity, and application authentication. The key question is not merely who can sign in; it is who can reach the app at all. For internet-facing apps, restrictions often allow only the reverse proxy or WAF path. For internal apps, they may allow corporate egress IPs or a subnet-backed path. SCM restrictions deserve separate attention because deployment endpoints can expose powerful management capabilities even when the application endpoint looks protected.

Security

Security value is direct because access restrictions reduce the public attack surface before application authentication, framework routing, or custom code runs. They help block broad internet scans, protect admin-only routes, and force traffic through approved inspection points. They should not be treated as a complete security model: users still need authentication, secrets still need protection, and private dependencies still need network controls. Teams should protect the SCM site, avoid broad temporary ranges, use service tags carefully, document every exception, and monitor denied traffic. A single high-priority allow rule can accidentally undo a careful ingress design. Reviews should cover both main and SCM sites.

Cost

Access restrictions have no separate meter, but they influence cost through traffic, diagnostics, and compensating controls. Blocking unwanted traffic before it reaches application code can reduce CPU use, dependency calls, log volume, authentication attempts, and noisy security alerts. The bigger cost effect is architectural: a well-designed restriction set may avoid overbuilding separate per-app controls, while a weak one can force expensive incident response, WAF tuning, or private networking redesign. Operators should still avoid using restrictions as a cheap substitute for required private endpoints or compliance controls. Cost savings are useful only when the boundary is actually correct. Cleanup reviews keep exceptions small.

Reliability

Reliability depends on correct rule ordering, stable source addresses, and safe rollout. A wrong priority can deny legitimate users, health probes, Front Door traffic, partner callbacks, or deployment agents. A rule based on a changing NAT address can create intermittent outages that look like application failures. Teams should test access from allowed and denied paths, apply changes to slots carefully, keep a rollback command ready, and avoid editing rules blindly during an incident. Reliable designs also account for SCM/Kudu access because blocking the deployment path during recovery can extend downtime. Synthetic checks should verify both app and deployment endpoints.

Performance

Performance impact is usually indirect but real. Access restrictions are evaluated before the request reaches the worker, so blocked scanners and accidental callers do not consume application threads, database connections, or downstream API quota. A clean ingress path can reduce noise in logs and make latency investigations easier. Restrictions can hurt perceived performance if they block health probes, CDN origins, WAF addresses, or partner networks, because users experience timeouts or 403 responses. The performance lesson is simple: keep allowed paths explicit, validate them after network changes, and monitor denied traffic during releases. Small ingress mistakes become visible as slow incidents.

Operations

Operators inspect access restrictions when investigating 403 responses, blocked deployments, unexpected public exposure, or WAF bypass concerns. The operational routine is to export current rules, confirm priority order, identify whether restrictions apply to the main site or SCM site, make a scoped change, and test from allowed and denied locations. Teams should document why each rule exists, who owns the source IP range or subnet, and when temporary exceptions expire. Change management should treat broad allow rules and default-action changes as high risk. Monitoring should include synthetic checks from approved entry points, not only generic uptime tests from the public internet.

Common mistakes

  • Adding a broad temporary allow rule during an incident and forgetting to remove it after recovery.
  • Protecting the main app while leaving the SCM/Kudu deployment endpoint more open than intended.
  • Using a changing NAT or partner IP address without an owner, expiry date, or validation process.
  • Forgetting health probes, Front Door headers, or deployment agents when creating a deny-by-default posture.
  • Assuming access restrictions replace authentication, authorization, WAF inspection, or private networking controls.