Managed Cloud

IP whitelisting for Azure SQL Server and Web Apps

Abstract

Use IP whitelisting to manage who has access to the Azure SQL server and Azure Web Apps.

Sitecore on Azure uses the Azure Web App and Azure SQL server technologies. IP whitelisting provides access to Azure Web Apps and SQL server resources for the computers that access the service from specific IP addresses. At the same time, it blocks access for computers attempting unauthorized access from all unspecified IP addresses.

This topic describes:

Before you configure IP whitelisting for Azure SQL Server and Web Apps, consider the following:

  • The Azure Web Apps services do not offer static IPs. However, Microsoft does provide approximately 90 days' notice before changing an IP address in the backend. Sitecore cannot guarantee technical cases where the IP addresses can change without our prior knowledge. For example, scaling up an App Service plan or moving an application from one app service plan to another can result in changes to IP addresses.

  • Microsoft can share outbound IP addresses between Web Apps and other tenants of the Azure App services products. This means there is a minor risk that Azure tenants owned by other subscribers could theoretically access external resources, such as an MLab cluster, when those resources whitelist the Azure outbound IP address associated with Sitecore web applications.

    The potential impact associated with non-static, non-unique IP addresses is relatively small. Even so, Azure offers an isolated hosting environment (the App Service Environment), that offers a static, unique IP address along with the other standard features.

  • change of service plan for your web application (such as scaling up or out), can cause Web Apps to acquire a new outbound IP address. This could invalidate the IP whitelisting configuration settings, which would then refer to obsolete IP addresses.

You can restrict the access of a specific web application to specified IP addresses through the menu of your web application. However, to configure your IP whitelist for a specific web application, navigate to SettingsNetworking, <the Web App overview page>. Under IP restrictions, click Configure IP restrictions. You can add a rule by specifying an IP address, or an IP address range, and providing a subnet mask.

ConfigureIPRestricitons.JPG

Sitecore instances such as Azure Web Apps or on-premise ASP.Net applications (specifically in Sitecore 9 topologies) reference each other with connection strings in configuration files. This means that if you enable IP whitelisting for specific Sitecore instances, you must also whitelist the outbound IP address of that Sitecore instance, (and all other instances it references).

For example, if your content delivery role references three Sitecore instances (such as, the xConnect collection, xDB reference data, and Marketing automation), then you must whitelist the outbound IP address of your content delivery instance for all three instances.

The component references that your instance has will vary based on factors such as topology and size. Sitecore Managed Cloud offers various Sitecore products and topologies of different sizes on Azure. Due to different architecture and scaling properties, these component references and connection strings can vary from one product to another.

You can use the GetConnectionString.ps1 PowerShell script to find the component references of your Sitecore instances on Azure, and then apply IP whitelisting as described previously.

The PowerShell script requires values for the following parameters:

  • Resource Group Name - the name of the resource group that contains the Managed Cloud set.

    Subscription ID - the GUID of the Azure subscription that contains the Resource Group

The script generates JSON code similar to the following example:

{
   "test-whitelisting-9x-131490-cm":  {
"ReferencedWebAppsComponents":  [
       {
                                                                                      "ConnectionStringName":  "xconnect.collection",
                                                                                      "WebAppUrl":  "https://test-whitelisting-9x-131490-xc-search.azurewebsites.net",
                                                                                      "WebAppName":  "test-whitelisting-9x-131490-xc-search"
     },
     {
                                                                                      "ConnectionStringName":  "xdb.referencedata.client",
                                                                                      "WebAppUrl":  "https://test-whitelisting-9x-131490-xc-refdata.azurewebsites.net",
                                                                                      "WebAppName":  "test-whitelisting-9x-131490-xc-refdata"
      },
       {
                                                                                      "ConnectionStringName":  "reporting.apikey",
                                                                                      "WebAppUrl":  "https://test-whitelisting-9x-131490-rep.azurewebsites.net",
                                                                                      "WebAppName":  "test-whitelisting-9x-131490-rep"
      },
       {
                                                                                      "ConnectionStringName":  "xdb.marketingautomation.reporting.client",
                                                                                      "WebAppUrl":  "https://test-whitelisting-9x-131490-ma-rep.azurewebsites.net",
                                                                                      "WebAppName":  "test-whitelisting-9x-131490-ma-rep"
        },
       
  {
                                                                                    "ConnectionStringName":  "xdb.marketingautomation.operations.client",
                                                                                      "WebAppUrl":  "https://test-whitelisting-9x-131490-ma-ops.azurewebsites.net",
                                                                                      "WebAppName":  "test-whitelisting-9x-131490-ma-ops"
      }
  ],
     "WebAppName":  "test-whitelisting-9x-131490-cm",
   "OutboundIpAddresses":"52.230.1.186,52.230.15.158,52.230.7.174,52.230.11.232,52.230.7.87"
}

This example shows a portion of the complete output file. Depending on the Sitecore product and topology, the number of resources in an output file can vary considerably. Therefore, remember to whitelist all the roles if they reference any components.

In this example, the Content Management role references five other instances. This means that you must whitelist the outbound IP addresses of Content Management in all five instances.

This specific example is for Sitecore products that all have components hosted on Azure. Some roles of other topologies, such as xDB, can have instances hosted on Azure, or on on-premise servers. In that case, you must whitelist the IP address for that particular component, whether hosted on Azure or on-premise servers.

For xDB, the on-premise XMcontent management role references the xdb.referencedata.client role that is hosted on Azure. Therefore, you must whitelist the IP address of the server that is hosting the Content Management role in the xdb.referencedata.client Azure Web app. In Configure Sitecore 9.0 for xDB on Azure, you can learn how to configure the Content Delivery and Content Management roles for the Managed Cloud xDB set.Configure Sitecore 9.0 or later for xDB on Azure

Note

The reporting.apikey connection string corresponds to the key used by the Sitecore Reporting role to authenticate incoming requests. In the Reporting Web App, you must whitelist the IP address of any Sitecore role that references the reporting.apikey connection string.

If your Sitecore on Azure solution uses Microsoft SQL Server, then you must explicitly whitelist the IP addresses of the computers that need to access the databases on the server. Otherwise, the SQL Server firewalls will prevent all access. You can configure the SQL Server firewall permissions and rules in any of the following ways:

  • Allow access to Azure services - this allows any Azure resource to gain access through the firewall. This includes the Azure resources that are in subscriptions owned by other organizations.

  • Disable access to Azure services - this option requires you to explicitly whitelist the IP addresses associated with the computers and resources on Azure that require access to the SQL server. This procedure varies from one Sitecore version to another and from one topology to another.

  • Specify the machine IP address for the Azure SQL Server firewall - for on-premise instances that connect to databases on Azure. For Azure SQL server, you must whitelist the IP addresses of on-premise machines by configuring the Content Delivery and Content Management roles for the Managed Cloud xDB set. The Azure SQL server firewall contains the databases that the connection strings of client instances reference. This is where you must whitelist the client IP address.Configure Sitecore 9.0 or later for xDB on Azure

  • Whitelisting resources, specifically Web Apps on Azure - for each Sitecore web application running Sitecore on Azure, use the GetConnectionString.ps1 PowerShell script to list all the connection strings of the database. The script generates the list in a JSON file and requires values for the following parameters:

    • The Resource Group Name - The name of the Resource Group that contains the Managed Cloud set.

    • The Subscription ID - The GUID of the Azure subscription that contains the Resource Group.

    The PowerShell script generates the following JSON code:

    "test9xbd-113010-rep":  {
     "connectionStrings":  
           [
             {
     "name":  "core",
    "initialcatalog":  "test9xbd-113010-core-db", 
    "datasource":  "test9xbd-113010-sql.database.windows.net,1433"
               },
    "name":  " master ",
    "initialcatalog":  "test9xbd-113010-master-db",
    "datasource":  "test9xbd-113010-sql.database.windows.net,1433"
               },
    "name":  "web",
    "initialcatalog":  " test9xbd-113010-web-db", 
    "datasource":  "test9xbd-113010-sql.database.windows.net,1433"
               },
    "name":  "reporting",
    "initialcatalog":  " test9xbd-113010-rep-db", 
    "datasource":  "test9xbd-113010-sql.database.windows.net,1433"
               },
             ]
        
    "OutboundIpAddresses":  "104.43.16.94,104.43.20.5,104.43.13.79,207.46.235.213"

    This code sample lists the connection string to the databases of a SQL server that a reporting Web App is referencing. You must specify the Outbound IP addresses of a reporting Web App in the SQL server firewall. To do so: