Windows Azure Web Sites supports Staged Publishing functionality, which allows you to create a staging site slot where you can publish a new version of the website and then test it before swapping to the production environment. By default the non-production deployment slot has its own hostname that you use to test the bits deployed there. Sometimes, however you may want to prevent users from browsing to your non-production deployment slot while you are testing it.
It is relatively easy to configure your site to block the http request if it is deployed to any non-production slot. For example let’s say I have a site ruslany.azurewebsites.net and I created a deployment slot for it and name the slot as ‘staging‘ (it is possible to give custom names to deployment slots now). The hostname for that deployment slot will be ‘ruslany-staging.azurewebsites.net‘. So to prevent access to the deployment slot from anybody except a few allowed IP addresses I can add the following rewrite rule to my site’s web.config file:
<rule name="Block unauthorized traffic to staging sites" stopProcessing="true">
  <match url=".*" />
  <conditions>
<!-- Enter your staging site host name here as the pattern-->
    <add input="{HTTP_HOST}" pattern="^ruslany\-staging\." />
<!-- Enter your white listed IP addresses -->
    <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.1" negate="true"/>
<!-- Add the white listed IP addresses with a new condition as seen below -->
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->
  </conditions>
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
</rule>
When the site with this rule is located in my staging slot any http request to it will be blocked with HTTP 403 response as long as it is not a request from a white-listed IP address in the rewrite rule. When the site is swapped into the production slot the rewrite rule will be no-op because the first rewrite condition will not match, so all http traffic will be allowed to the site.
 
					
Hello, where should I save this file? In the Root the site?
Hi,
Great article. Thanks.
Can you add the rewrite rules in the azure dashboard? I can’t find how to do it.
I have to provide the staging deployment slot to management and they have changing IP addresses and dynamic IP addresses, so I would prefer not to have to deploy everytime I add or delete an IP address.
Thanks for your time.
Cheers,
Brian
Hi,
What happens when I use the same hostname for IP restriction and configure to warm up also?
It means Azure will get 403 when warmup that hostname? so how to whitelist ?
Thank you.
The IP restrictions are now enforced on the load balancer level and not on the worker VMs. The warmup requests are made directly to worker VMs so they should not be blocked by the IP restriction.
Hi,
Thanks for the reply.
I mean IP restriction by rewrite module as your above topic, not IP restriction that is configured on Azure portal.
So it is still same?
Oh, I see. If you use the rewrite rule as in this example then you’ll need to whitelist the internal IP ranges (starting with 10 or 100, e.g. “^10\.”).
This articles was written a while ago, before the IP restrictions feature was added to App Service. I would recommend to use the IP restrictions feature on the staging slot instead of the rewrite rule
Thank you.
I will try to whitelist internal IP because I could not use IP restrictions feature on Azure portal because my app is using Cloudflare. IP restrictions feature only works with CloudFlare IP