Setting an IP filter is very important because one of the easiest ways to launch a denial of service (DoS) attack is to launch the attack from inside the service itself. Therefore, at minimum, the hosting service provider should blacklist the farm from itself.
For example, if the web farm is deployed to a subnet, then the subnet IP addresses should be filtered to prevent web sites from calling back into the farm and launching (for example) a DoS attack.
To restrict tenant worker processes from accessing the IP address ranges corresponding to servers inside the Web Site cloud, you can configure IP filtering either in the Windows Azure Pack management portal or by using PowerShell.
To configure IP filtering in the Management Portal for Administrators, perform the following steps:
- In the left pane of the portal, choose Web Site Clouds.
Select the web site cloud that you want to configure.
Choose Block List.
In the command bar at the bottom of the portal, choose Add.
In the Enter an IP Address Range dialog, enter an IP address in the Start Address and End Address boxes to create the range.
- Click the check mark to complete the operation.
To configure IP filtering by using PowerShell, run the following PowerShell cmdlets on the controller. Replace <start-of-ip-blacklist-range> and <end-of-ip-blacklist-range> with valid IP addresses.
Set-Hostingconfiguration -WorkerRegKeyRejectPrivateAddresses 1
Set-Hostingconfiguration –WorkerRegKeyPrivateAddressRange “192.168.0.10”, ‘192.168.0.100’
Finally, restart the Dynamic WAS Service (DWASSVC) on servers configured to run the web worker role. Run the following commands from an elevated command prompt:
net stop dwassvc
net start dwassvc