Hi @EddyP23, thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review.

You can use powershell to set an ip rule and automate it:
https://about-azure.com/2018/11/26/configure-azure-app-service-ip-restrictions-using-powershell/

Please provide here information on how to set restriction rules in ARM Template

In the Properties section of your ARM Template you can add the following:
"properties": {
"ipSecurityRestrictions": [
{
"ipAddress": "100.10.101.0",
"subnetMask": "255.255.255.0"
},
{
"ipAddress": "100.10.100.0",
"subnetMask": "255.255.255.0"
}
]
}

@schneuwlybe Yes, I found out this, but I think it worth mentioning in this article. And there is another issue: there are other properties of IP restriction which I can set using Azure portal, but apparently can't set using ARM template: action, tag, priority and name. As a result, all restrictions get the same priority and I can't name them. Which is quite disappointing especially if you have a list of restrictions.

One more thing: it seems strange that ARM doesn't recognize syntax "ipAddress": "122.133.144.0/24", as it shown in Programmatic manipulation of access restriction rules
Actually in ARM template you must specify ipAddress and subnetMask separately otherwise you get error "IpSecurityRestriction.IpAddress is invalid. It must be in IPAddress format."

I think the main problem is, that IP Restriction Automatation (With ARM and Powershell) is only poorly implemented. When you export an ARM Template from an existing application there are no ip restrictions exported. Also there is currently no way to add IPv6 Addresses besides the Portal. Since IP Restrictions is a fairly new feature, it is possible, that they are still on the implementation of the automatation ways.

Can anybody share how to programmatic set up access restriction on Vnet/subnet and not on ip address.
Either ARM or powershell should be good, having both listed out is even better.

Can anybody share how to programmatic set up access restriction on Vnet/subnet and not on ip address.

@RavulaChetan Here's what I'll do for ARM - I have not tried it yet but this is the approach I will follow. Please try it for me and feedback, as that will help me too.

Start by finding a working _recent_ (2018) web app deployment template.

Here is one that uses the 2018-11-01 API version,
101-webapp-basic-windows

You need to add an ipSecurityRestrictions to the properties. Here is the schema reference for that 2018-11-01 API version: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2018-11-01/sites. Ctrl+F for ipSecurityRestrictions.

The schema is useful for reference, but really you need an example that you have setup manually in portal. You can then extract the ARM code using resources.azure.com

Here is from an example I setup today - The "$-names" are inserted by me to cover the actual names of the resources.

        "ipSecurityRestrictions": [
          {
            "vnetSubnetResourceId": "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$virtualNetworkName/subnets/$subnetName",
            "action": "Allow",
            "tag": "Default",
            "priority": 300,
            "name": "$subnetName"
          }
        ],

Try out something like that in the properties section of your Microsoft.Web/sites template.
Please feedback. As I have not tried it yet, and I'll need it pretty soon.

Another possibility, see this comment (follow link to ARM template). It uses a virtualNetwork child resource

@ishepherd your previous comment was exactly what I needed to get my ARM template working. Thank you!

I have 3 sites, I hae managed to add allow entries to them via arm templates + parameter file. They all share the same configuration.

When deploying, everything goes well. The entries show in the portal and the deny all comes at the end.

The weird thing is though that two of the sites work as expected (blocking everyone except the allowed ips). But the third site, with the same config...allows everyone to access, even if it have deny all rule at the end, just like the other sites!

Can anybody share how to programmatic set up access restriction on Vnet/subnet and not on ip address.
Either ARM or powershell should be good, having both listed out is even better.

Can anybody share how to programmatic set up access restriction on Vnet/subnet and not on ip address.

@RavulaChetan Here's what I'll do for ARM - I have not tried it yet but this is the approach I will follow. Please try it for me and feedback, as that will help me too.

Start by finding a working _recent_ (2018) web app deployment template.

Here is one that uses the 2018-11-01 API version,
101-webapp-basic-windows

You need to add an ipSecurityRestrictions to the properties. Here is the schema reference for that 2018-11-01 API version: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2018-11-01/sites. Ctrl+F for ipSecurityRestrictions.

The schema is useful for reference, but really you need an example that you have setup manually in portal. You can then extract the ARM code using resources.azure.com

Here is from an example I setup today - The "$-names" are inserted by me to cover the actual names of the resources.

        "ipSecurityRestrictions": [
          {
            "vnetSubnetResourceId": "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$virtualNetworkName/subnets/$subnetName",
            "action": "Allow",
            "tag": "Default",
            "priority": 300,
            "name": "$subnetName"
          }
        ],

Try out something like that in the properties section of your Microsoft.Web/sites template.
Please feedback. As I have not tried it yet, and I'll need it pretty soon.

Using Add-AzWebAppAccessRestrictionRule Powershell command, we can configure Vnet/subnet type access restriction on App Service

https://docs.microsoft.com/en-us/powershell/module/az.websites/add-azwebappaccessrestrictionrule?view=azps-3.2.0

please-close