AI OnAI Off

IP Restrictions and Deployment from Azure Dev Ops

Ethan Schofer
Ethan Schofer
Vote:
 

I have IP restrictions on my Integration, Preproduction, and the CMS part of production. These restrictions are managed in the web.config as rewrites. The problem I am having is that I am deploying from Azure Dev Ops using the deployment API. As part of that deployment, it tries to hit the site, which it cant, because of IP restrictions. Azure's IPs are constantly shifting, so how do I manage that.

I found this article:

https://keithjr.dev/development/hosted_build_agent/

At first this failed because 

Add-AzWebAppAccessRestrictionRule

Was not installed. So, I added line to install module Az if it wasnt installed. This failed because some parts of it are already installed. So, how can I have IP restrictions and still use the Deployment API?

#284578
Jul 28, 2022 17:54
Scott Reed
Scott Reed
Vote:
 

A few ideas

  1. Is the IP restriction 100% needed as the solution. You could alternatively restrict the everyone role in the access rights for the root of the site so that only people with a login can access the site, if your concern is only allowing certain people to access. 
  2. I've used this https://github.com/Bikeman868/UrlRewrite.Net which is a replacement to the out of the box rewrite system, I've used this for large sites with rules so hugh the rewrite file is over the max allowed size. This get's initalized in the application start so potentially you could add a setting to turn this on/off in the CMS. Therefore you turn it off before a deployment and back on again after. Just a idea
  3. The other thing and I'm not sure, but as the Deployment API slot checks that check the URL is up is probably running using a custom agent string it might be the rules can be customized to exclude that agent from the restriction. 
#284741
Aug 01, 2022 9:45
Surjit Bharath
Surjit Bharath
Vote:
 

Hi Ethan,

I didn't think ip restrictions on a web.config blocked the deployment api. What error are you seeing when initially trying to use deployment api?

#284744
Aug 01, 2022 9:54
Scott Reed - Aug 01, 2022 10:37
there are post slot swap verifications that need to have a 200 code coming back for the deployment API complete deployment task for the process to work. If other error codes are returning it would stop it from working.
Scott Reed - Aug 01, 2022 10:40
However I used to have project running in Deployment API with IP restriction without issue, I think some of these more stringent checks may have come about during the changes for .NET 5/6 although this project is obviously web.config for .net framework but perhaps things have been made more tight
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.