skip to Main Content

I am testing a simple html page with Azure Static Web Apps (SWA) and want to implement an IP restriction so I can only view the site. I also have a simple Azure Devops task to push the project.

The issue is while the pipeline output shows the task finding and reading the swa.config.json file the site is still accessible from other IPs other than my own. Even if I set allowedIpRanges to an empty list [""] the site is still accessible even though that should not allow any IPs to access the site.

My project structure:

project_folder/
|    - index.html
|    _ staticwebapp.config.json

My staticwebapp.config.json:

{
  "networking": {
    "allowedIpRanges": ["MY_IP"]
  }
}

Azure Devops Task:

- task: AzureStaticWebApp@0
  inputs:
    workingDirectory: $(System.DefaultWorkingDirectory)/project_folder/
    app_location: /
    output_location: ''
    is_static_export: true
    skip_app_build: true
    skip_api_build: true
    verbose: true
    azure_static_web_apps_api_token: $(SWA_DEPLOYMENT_TOKEN)

The pipeline output:

Verbose logging enabled
Build timeout not specified, defaulting to 15 minutes
App Directory Location: '/' was found.
Looking for event info
Event info parsed from action options.
Skipping step to build /working_dir with Oryx
Found staticwebapp.config.json file: 'staticwebapp.config.json'
Didn't find Oryx manifest file under location: /a2b4be88-c84d-41ed-acfe-2f2c9b2f87b1-swa-oryx/app-manifest/oryx-manifest.toml
Determined default file to be: index.html
Using 'staticwebapp.config.json' file for configuration information, 'routes.json' will be ignored.
No Api directory specified. Azure Functions will not be created.
Either no Api directory was specified, or the specified directory was not found. Azure Functions will not be created.
Zipping App Artifacts
App Zip will be created from directory: /working_dir
Done Zipping App Artifacts
Uploading build artifacts.
Skipping function upload as functions are identical to last successful deployment.
Finished Upload. Polling on deployment.
Status: InProgress. Time: 0.057026(s)
Status: Succeeded. Time: 15.225704(s)
Deployment Complete :)
Visit your site at: https://asdf.azurestaticapps.net
Thanks for using Azure Static Web Apps!
Exiting
Finishing: AzureStaticWebApp

2

Answers


  1. Chosen as BEST ANSWER

    While I couldn't figure out the IP restrictions on the free SKU of Azure Static Web Apps, I used AAD auth instead with the paid sku and the following configuration in my staticwebapp.config.json file.

    {
      "routes": [
        {
          "route": "/*",
          "allowedRoles": ["authenticated"]
        }
      ],
      "auth": {
        "identityProviders": {
          "azureActiveDirectory": {
            "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "registration": {
              "openIdIssuer": "https://login.microsoftonline.com/<subId>",
              "clientIdSettingName": "AZURE_CLIENT_ID",
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            }
          }
        }
      },
      "responseOverrides": {
        "401": {
          "statusCode": 302,
          "redirect": "/.auth/login/aad"
        }
      },
      "navigationFallback": {
        "rewrite": "/index.html",
        "exclude": ["/images/*.{png,jpg,gif}", "/css/*"]
      },
      "globalHeaders": {
        "Cache-Control": "no-cache"
      }
    }
    

  2. I have tried to repro the same using the below steps and got the results as expected.

    Step 1: Initialize repo and add index.html and staticwebapp.config.json files.

    staticwebapp.config.json:

    {
      "routes": [
        {
          "route": "/*",
          "serve": "/index.html",
          "statusCode": 200
        }
      ],
      "navigationFallback": {
        "rewrite": "/index.html",
        "statusCode": 200
      },
      "networking": {
        "allowedIpRanges": [
          "49.204.176.183/32"
        ]
      }
    }
    

    In the above configuration file, 49.204.176.183 under networking is my public IP address. If you are allowing a single IP, use /32 CIDR block.

    Please refer networking section in this ms doc for more information.

    Step 2: Create and run the pipeline and verify the webapp whether it is accessible or not.
    Below is the azure static webapp task in pipeline.

    - task: AzureStaticWebApp@0
      inputs:
        workingDirectory: 
        app_location: '/'
        skip_app_build: true
        skip_api_build: true
        is_static_export: true
        verbose: true
        azure_static_web_apps_api_token: '$(SWA_DEPLOYMENT_TOKEN)'
    

    enter image description here

    Step 3: Now change IP address to any other address and run pipeline to verify the network configuration applied.
    enter image description here

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search