ARM: Whitelist outbound IP's from another app service

In a previous post I wrote about adding one or more specified ranges of IP addresses to the IP security restrictions of an App Service.

In this post, I would like to take it one step further: add the possible outbound IP addresses of another App Service to the white list.

N.B. Securing a web app in this way is not a total security solution, because App Services of other Azure customers can share the same outbound IP addresses within the shared network infrastructure. If that’s a requirement, you will need to resort to the isolated App Service Environment, but that’s in a different pricing level.

But how do you do that? You can off course get the outbound IP addresses from another App Service by using the reference function within a template. But this is a comma separated list of addresses. So you will need to split this into an array and add the subnet mask (in CIDR notation) and action properties to use it as a property in the sites/config/ipSecurityRestrictions element I’ve described in a previous post. Things get more difficult when you realize you can only use the reference function in the resources of output section of a template. So there’s no way you can create a variable that gets the list (as a comma separated string) and splits it in to an array you can use further on in the template when deploying resources.

Enter multiple LinkedTemplates and a bit of useful information:

A template doesn’t need to deploy a resource

So this means you can create a template, that takes a resourceId for an App Service, gets the range of possible outbound IPs and returns it as an array:

But this doesn’t create an object array which we can pass to the template that adds the ranges to an App Service as described in the previous post.

So we create another template that takes an array of strings with the different IP’s and returns an array with the object in the required form:

We can then modify the first template to call this template and instead return the result of that template:

All that remains now, is to call this template from the main template that deploys the App Service and pass this to the template that actually adds the ranges to the whitelist: