Azure Web Sites – block web access to non-production deployment slots

Windows Azure Web Sites supports Staged Publishing functionality, which allows you to create a staging site slot where you can publish a new version of the website and then test it before swapping to the production environment. By default the non-production deployment slot has its own hostname that you use to test the bits deployed there. Sometimes, however you may want to prevent users from browsing to your non-production deployment slot while you are testing it.

It is relatively easy to configure your site to block the http request if it is deployed to any non-production slot. For example let’s say I have a site ruslany.azurewebsites.net and I created a deployment slot for it and name the slot as ‘staging‘ (it is possible to give custom names to deployment slots now). The hostname for that deployment slot will be ‘ruslany-staging.azurewebsites.net‘. So to prevent access to the deployment slot from anybody except a few allowed IP addresses I can add the following rewrite rule to my site’s web.config file:

<rule name="Block unauthorized traffic to staging sites" stopProcessing="true">
<match url=".*" />
<conditions>
<!-- Enter your staging site host name here as the pattern-->
<add input="{HTTP_HOST}" pattern="^ruslany\-staging\." />
<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="123\.123\.123\.1" negate="true"/>
<!-- Add the white listed IP addresses with a new condition as seen below -->
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden"
statusDescription="Site is not accessible" />
</rule>

When the site with this rule is located in my staging slot any http request to it will be blocked with HTTP 403 response as long as it is not a request from a white-listed IP address in the rewrite rule. When the site is swapped into the production slot the rewrite rule will be no-op because the first rewrite condition will not match, so all http traffic will be allowed to the site.

73,236 views

ruslany on April 24th 2014 in URLRewrite, WAWS

PoorFairAverageGoodExcellent (15 votes, average: 4.20 out of 5)

2 Responses to “Azure Web Sites – block web access to non-production deployment slots”

  1. Gravatar ImageFelipe responded on 25 Aug 2017 at 3:15 pm #

    Hello, where should I save this file? In the Root the site?

  2. Gravatar ImageBrian D responded on 28 Sep 2017 at 7:44 pm #

    Hi,
    Great article. Thanks.
    Can you add the rewrite rules in the azure dashboard? I can’t find how to do it.
    I have to provide the staging deployment slot to management and they have changing IP addresses and dynamic IP addresses, so I would prefer not to have to deploy everytime I add or delete an IP address.
    Thanks for your time.
    Cheers,
    Brian

Trackback URI | Comments RSS

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

XML Markup: If You want to add XML code to the comment please XML encode it first, otherwise the code will not show up.

Recently Published Articles