DEV Community

Cover image for Manage Azure Web App Firewall through Azure Function

Posted on

Manage Azure Web App Firewall through Azure Function

Photo by Emily Reimer on Unsplash

The Issue

I was asked to frequently add or remove IP to an Azure Web Application firewall configuration, in a case where a restriction to a subnet is not an option. That's why i wanted to automate this task, in order to add a lifetime to the add.

The plan

After some thoughts, i come with the following plan:

Alt Text

DemandValidation Azure Function


Validating request, and managing workflow of adding and removing IP.


It's a C# Azure Function exposing one Http input binding, requesting Azure Active Directory authentication. The workflow of add and removing IP is managed through a Durable Function.

The claims in the request must contains at least the ID of the allowed group, in order to trigger the logic. The configuration required to inject security groups into claims will be treated in a future post.

The message sent to the queue and record to the audit table contains:

  • IP of the request
  • date in the description
  • a unique ID

Audit Azure Table


Keep track of the demand, without exposing clearly any sensitive data linked to a person.


It's an audit log, with the capability of knowing if an IP has changed for a demand.

Add / Remove Azure Storage Queue


It's a pipe to transfer request to the function having rights to manage firewall without exposing it.


It's 2 Azure queue serving as link between 2 Azure Function.

DemandTreatment Azure Function


Treating requests in Add and Remove queue by invoking simple Powershell Core commands.


It's a Powershell Azure Function validating request (only one IP added), and applying it to the firewall. The priority used is a constant.

The Function identity is an Azure Managed Service Identity, which has a role to manage firewall configuration on the targeted Web Application.

Hope this helps !

Top comments (0)