Azure Website 101: Restrict access on your staging site

Staging slots in Azure Websites provide few functionalities right out of the box, it lets you deploy your site on a separate slot rather then your production slot. This is good approach because by deploying your site on staging slot you ensure zero downtime of your site at the same time since the non-production deployment slot has its own host name so your tester/client can navigate your staging website and let you know if everything meets their requirement.

The pattern used for hostname is like this:  It carries the name of the Azure Web App + the name of the slot. For example, If your Azure Web App is called testsite and you have create a slot called staging then it will be named testsite (staging) and its URL will be Since the staging URL is quite easily guessable people might sneak your non-production site to find out whats coming in the next version. At a glance it seems its not a big deal, there is nothing wrong if few people sneak into your non-production site.  But that’s not the case! Imagine a scenario where you are assigned to update a website to show a promo offer for upcoming BlackFirday. The offer is something like this –

First 50 subscribers will get an iPhone5 in half price! .

If you let the public sneak into your non-production/staging site they might get this news in advance!  You obviously don’t want that somebody discovers the URL of our development/staging environment and starts “playing” with it. This is one thing that you might want to prevent.

So the question is how can you keep your azure websites private and thus make them not available to the large public? how can your site is only accessible by your development and test team?



Add the following rewrite rule the web.config file located in the root folder of the website to prevent access to the deployment slot from anybody except a few allowed IP addresses :

<rule name="Block unauthorized IP to staging sites"

<match url=".*" />

<!-- Enter your staging site host name here as the pattern-->
<add input="{HTTP_HOST}" pattern="^testsite\-staging\." />

<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="123\.123\.123\.1" negate="true"/>

<!-- Add the white listed IP addresses with a new condition as seen below -->
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->

<action type="CustomResponse" statusCode="403"
statusReason="Forbidden" statusDescription="Site is not accessible" />

Once you add the above rule on your web.config, any HTTP request for your staging slot will be blocked with HTTP 403 response unless its from a white-listed IP address(the one you have added earlier in rule section). When the site is swapped into the production slot the rewrite rule will be of no use because the first rewrite condition will not match, so all HTTP  traffic will be allowed to the site.

Good Read:


One thought on “Azure Website 101: Restrict access on your staging site

  1. This is not working for me. Yours is the only such example of this I can find on the net, have you got some documentation of how you put this together.

    The 3 links provided don’t include anything like you have done here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s