Azurerm_windows_web_app setting default firewall rule

I’m trying to understand how to properly setup Azure App Service network rules for public access, but I can find no documentation or explicit threads explaining it.

Basically what I want is deploying a azurerm_windows_web_app publicly reachable, but setting the default policy for the Kudu site to Deny (so I can access it only from private endpoints).

Is it possible? I can’t find the terraform setting for the default networking rule of the kudu site.


In your azurerm_windows_web_app resource block, you have to explicitly set the public_network_access_enabled attribute to false. Currently, it’s defaulted to true.

Secondly, under the site_config, you need to set the scm_ip_restriction block, action to Deny, and then ip_address to

Setting the above attribute will deny all public access to your app service and only then you can access your web app via private endpoint. Note that you have to create your private endpoint on the web app.

Please let me know if that helps.

Thank you for you reply!
I have just a question: wouldn’t setting public_network_access_enabled to false disable public access also to the main website (not just the Kudu site)?

Thank you

That’s correct. However, if you only need the scm site “kudu” disabled, then ignore the public access setting and focus on the scm block setting.

1 Like

The quest is to gracefully balance public access to the web app while weaving an intricate tapestry of networking rules that, specifically, cast a veil over the Kudu site, reserving its secrets only for private endpoints. Alas, my journey through Terraform’s documentation and the vast landscape of Azure features has not uncovered the elusive setting to dictate the default networking rule for the Kudu site.