IP Security - Configure IP address restrictions in Web.Config on IIS

When your website is using some kind of proxy/firewall just like Sucuri to increase the security, you need to make sure that only the allowed ones are accessing the site directly, so that all the requests to the site is going through the firewall.

To ensure this, we use the IP security feature in IIS, in which we can configure which IP's are allowed.

<system.webServer>
   ...
    <security>
      <ipSecurity allowUnlisted="false">
        <clear />
        <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
        <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
        <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
        <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
      </ipSecurity>
      ...
    </security
  </system.webServer>

In the above code, we set allowUnlisted attribute to false to prevent access to all IP address unless they are listed. And then we add the allowed IP addresses one by one. eg.

<add ipAddress="192.168.134.0" subnetMask="255.255.254.0" allowed="true" />

Additional Resource


comments powered by Disqus

About the author

  • Abhith Rajan

    Abhith Rajan

    Abhith Rajan is a full-stack developer, consultant, Sysberries employee, and biker. Who passionate about C# and JavaScript. Works on his blog, his personal finance web app and its react native mobile app in his free time.

    Buy me a coffeeBuy me a coffee