Sitecore XP Azure PaaS: Restrict Access By IP Address

Ths is just a quick note on an issue I ran in to when trying to lock down my CM and CD instances in Azure - maybe this will save you a few minutes if it happens to you.

It's easy enough to restrict access to your Sitecore Azure App Services by IP address. Just log on to your Azure subscription and navigate to

App Services >> *your app service* >> Networking >> Configure IP Restrictions

Here you are able to add individual IP addresses or ranges of IP addresses that you wish to grant access to your service. (NOTE: if there are no IPs in the list, then ALL IP addresses will have access).

But what if you add one or more IPs and your App Service is still open to all IP addresses? Well, that's what happened to me. I tracked the problem down to some configurations that Sitecore for some unknown reason has added to all of its Marketplace ARM templates. To fix it you need to edit the web.config file in the website root, and comment out or delete the ipSecurity section, like so:

        <requestLimits maxAllowedContentLength="524288000" />
    <!--<ipSecurity allowUnlisted="false" denyAction="AbortRequest">
        <clear />
        <add ipAddress="" subnetMask="" allowed="true" />


Once you do that your IP restrictions should start working. Hope this is helpful to someone out there!


Comments (1) -

  • Hi David,

    I was able to restrict the access by configuring IP.
    However, I'm looking to restrict the access by IP only to the CMS and not to the website.

    The website needs to be publicly accessible, but the CMS can be accessed by only the whitelisted IPs. Any idea how to go around this?

Add comment