Restrict function access by ip


How to restrict App Services / function access by IP?

(I did a search before asking but only found an unanswered question here)



If I understand correctly you want to restrict clients that make requests to your app services e.g. calling functions etc. You can manage this from your IP Access List in your app services configuration.


1 Like

Thanks, that looks good, just that when I gave it a try after your suggestion, it is not working for me –

I.e., I allow only my IP, but when I visit the service from two other different sites, they’re still fine. Given that:

Edits to this page will be updated in your application immediately

I’m thinking that something is wrong. Hmm… Maybe …

OK, here is more details – I hosted my web page at different places/sites, this is what I was hoping to control. However, my web page connect to app services directly via its javascript code. Does that mean that the connection is made from my IP to the app service (which then can explain why my above trials failed)? If so, then my question becomes, since I cannot list every single person’s IP in IP Access List, is there any better solution, like restrict by hosted sites / reference host etc?

Or, thinking out of the box, can I apply rate control, since now it is every single person’s individual IP is concerned?

It sounds like you’re using the Realm Web SDK and calling functions this way.

Does that mean that the connection is made from my IP to the app service

Yes it would be the ip of the person visiting the website.

since I cannot list every single person’s IP in IP Access List

The ip access list entry can be a CIDR notation including a range of addresses. Could you target the multiple addresses this way?

Alternatively you can specific an Authorization Express in the function itself which has to evaluate to TRUE before running the function. Please see options for Expression Evaluations for e.g. you could use the %%request expansion to evaluate the referrer with a list specified in a value called “referrers”.

  "%%request.httpReferrer": { "$in": "%%values.referrers" }


Thanks, I’ll take a look.

FTA, as to the rate control, I took a further look, and have found this question, with a reply pointing to here, and I quite agree with all comments there, like Justin’s comment:

I agree that if MongoDB App Services is to be used at scale and we are signing up for the potential of inflated costs due to unwanted requests, we should have the ability to protect ourselves via rate limiting of some kind. Otherwise, we just become very vulnerable.

I upvoted it and hope it will be picked up.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.