Ths is just a quick note on an issue I ran in to when trying to lock down my CM and CD instances in Azure - maybe this will save you a few minutes if it happens to you.
It's easy enough to restrict access to your Sitecore Azure App Services by IP address. Just log on to your Azure subscription and navigate to
App Services >> *your app service* >> Networking >> Configure IP Restrictions
Here you are able to add individual IP addresses or ranges of IP addresses that you wish to grant access to your service. (NOTE: if there are no IPs in the list, then ALL IP addresses will have access).
But what if you add one or more IPs and your App Service is still open to all IP addresses? Well, that's what happened to me. I tracked the problem down to some configurations that Sitecore for some unknown reason has added to all of its Marketplace ARM templates. To fix it you need to edit the web.config file in the website root, and comment out or delete the ipSecurity section, like so:
<requestLimits maxAllowedContentLength="524288000" />
<!--<ipSecurity allowUnlisted="false" denyAction="AbortRequest">
<add ipAddress="0.0.0.0" subnetMask="0.0.0.0" allowed="true" />
Once you do that your IP restrictions should start working. Hope this is helpful to someone out there!