webapp: --ip-address accepts only cidr not ip4

[onstwedder]

e.g. just tried the following:
az webapp config access-restriction add -g <resourcegroupname> -n <Webappname> --action Allow --description 'Outgoing ip' --ip-address 50.69.29.185 --rule-name 'webplan' --priority 505

which resulted in:
Operation returned an invalid status code 'Bad Request'

However when i tried this:
az webapp config access-restriction add -g <resourcegroupname> -n <Webappname> --action Allow --description 'Outgoing ip' --ip-address 50.69.29.185/32 --rule-name 'webplan' --priority 505
It worked correctly.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c788e908-cee3-ae46-fac4-956d0606ad76
• Version Independent ID: 2ed69bfd-bb05-3d09-072e-00e505856fba
• Content: az webapp config access-restriction
• Content Source: latest/docs-ref-autogen/webapp/config/access-restriction.yml
• Service: app-service-web
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

[panchagnula]

@madsd I haven't tried to repro this but wanted to check with you if this was by design. Thanks!

[madsd]

@madsd I haven't tried to repro this but wanted to check with you if this was by design. Thanks!

Hi @panchagnula, this was by design, but that could be changed :-) Perhaps something as simple as checking for '.' or ':' (to know if it is ipv4 or ipv6) and then add respectively /32 and /128. Would that make sense?

[panchagnula]

Thanks @madsd - Hmm not sure what the reasoning was for this to be ByDesign since on Portal we do support Ipv4 and IpV6.

[madsd]

@panchagnula the command does support both ipv4 and ipv6 today - but for both ipv4 and ipv6 you have to specify the subnet range - that is the /xx. So even if you just want a single IP, you need to specify /32. What is being asked here (as I read it), is that if you just want a single IP, we would automatically add the /32 or /128.

[onstwedder]

@madsd True.
In the documentation page ( https://docs.microsoft.com/en-us/cli/azure/webapp/config/access-restriction?view=azure-cli-latest#az-webapp-config-access-restriction-add ) it states:

--ip-address
IP address or CIDR range.

I would expect an ip address to be without /32 and a cidr of 1 ip to be with a /32.
e.g. My first try to add an ip to the access restriction was to use it without a /32.

Anyway. when not specifying a subnet range on an ip, automatically adding a /32 would work fine. (or /128 for ip6)

[madsd]

Created PR with a fix for it and a scenario test to capture it for future changes. @panchagnula could you review it. @onstwedder, thank you for reporting it.