Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Microsoft Azure IoT DPS IP connection filters description: How to use IP filtering to block connections from specific IP addresses to your Azure IoT DPS instance. author: cwatson-cat ms.author: cwatson ms.service: azure-iot-hub services: iot-dps ms.topic: how-to ms.date: 08/12/2025 ms.subservice: azure-iot-hub-dps ms.custom: - devx-track-arm-template - sfi-image-nochange --- # Use Azure IoT DPS IP connection filters Security is an important aspect of any IoT solution. Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. The *IP filter* feature for an Azure IoT Hub Device Provisioning Service (DPS) enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses. ## When to use There are two specific use-cases where it's useful to block connections to a DPS endpoint from certain IP addresses: * Your DPS should receive traffic only from a specified range of IP addresses and reject everything else. For example, you're using your DPS with [Azure Express Route](../expressroute/expressroute-faqs.md#supported-services) to create private connections between a DPS instance and your devices. * You need to reject traffic from IP addresses that are identified as suspicious by the DPS administrator. ## IP filter rules limitations Note the following limitations if IP filtering is enabled: * You might not be able to use the Azure portal to manage enrollments. If this scenario occurs, you can add the IP address of one or more machines to the `ipFilterRules` and manage enrollments in the DPS instance from those machines with Azure CLI, PowerShell, or service APIs. This scenario is most likely to happen when you want to use IP filtering to allow access only to selected IP addresses. In this case, you configure rules to enable certain addresses or address ranges and a default rule that blocks all other addresses (0.0.0.0/0). This default rule blocks Azure portal from performing operations like managing enrollments on the DPS instance. For more information, see [IP filter rule evaluation](iot-dps-ip-filtering.md#ip-filter-rule-evaluation) in this article. ## How filter rules are applied The IP filter rules are applied at the DPS instance level. Therefore the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. Any connection attempt from an IP address that matches a rejecting IP rule in your DPS instance receives an unauthorized 401 status code and description. The response message doesn't mention the IP rule. > [!IMPORTANT] > Rejecting IP addresses can prevent other Azure Services from interacting with the DPS instance. ## Default setting By default, IP filtering is disabled and **Public network access** is set to *All networks*. This default setting means that your DPS accepts connections from any IP address, or conforms to a rule that accepts the 0.0.0.0/0 IP address range. :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-default.png" alt-text="Screenshot that shows the IoT DPS default IP filter settings in the Azure portal."::: ## Add an IP filter rule To add an IP filter rule: 1. Go to the [Azure portal](https://portal.azure.com). 2. From either the portal menu or the portal page, select **All resources**. 3. Select your Device Provisioning Service instance. 4. In the service menu, under **Settings**, select **Networking**. 5. In the working pane, under **Public network access**, select **Selected IP ranges** 6. Select **+ Add IP Filter Rule**. :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-add-rule.png" alt-text="Screenshot that shows how to add an IP filter rule to an IoT DPS instance in the Azure portal."::: 7. Fill in the following fields: | Field | Description| |-------|------------| | **Name** |A unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus `{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}` are accepted.| | **Address Range** |A single IPv4 address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.| | **Action** |Select either **Allow** or **Block**.| :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-after-selecting-add.png" alt-text="Screenshot that shows how to define and save an IP filter rule for an IoT DPS instance in the Azure portal."::: 8. Select **Save**. You should see an alert notifying you that the update is in progress. :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-save-new-rule.png" alt-text="Screenshot that shows the notification displayed while saving an IP filter rule in the Azure portal."::: >[!Note] > **+ Add IP Filter Rule** is disabled when you reach the maximum of 100 IP filter rules. ## Edit an IP filter rule To edit an existing rule: 1. Select the IP filter rule data you want to change. :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-rule-edit.png" alt-text="Screenshot that shows how to edit an IP filter rule for an IoT DPS instance in the Azure portal."::: 2. Make the change. 3. Select **Save**. ## Delete an IP filter rule To delete an IP filter rule: 1. Select the delete icon on the row of the IP rule you wish to delete. :::image type="content" source="./media/iot-dps-ip-filtering/ip-filter-delete-rule.png" alt-text="Screenshot that shows how to delete an IP filter rule for an IoT DPS instance in the Azure portal."::: 2. Select **Save**. ## IP filter rule evaluation IP filter rules are applied in order. The first rule that matches the IP address determines the accept or reject action. For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, the first rule in the grid should accept the address range 192.168.100.0/22. The next rule should reject all addresses by using the range 0.0.0.0/0. To change the order of your IP filter rules: 1. Select the rule you want to move. 2. Drag and drop the rule to the desired location. 3. Select **Save**. ## Update IP filter rules using Azure Resource Manager templates There are two ways you can update your DPS IP filter: 1. Call the IoT Hub Resource REST API method. To learn how to update your IP filter rules using REST, see `IpFilterRule` in the [Definitions](/rest/api/iothub/iot-hub-resource/update#definitions) section of [IoT Hub Resource - Update](/rest/api/iothub/iot-hub-resource/update). 2. Use the Azure Resource Manager templates. For more information about how to use the Resource Manager templates, see [What are ARM templates?](../azure-resource-manager/templates/overview.md) The examples that follow show you how to create, edit, and delete DPS IP filter rules with Azure Resource Manager templates. >[!NOTE] >Azure CLI and Azure PowerShell don't currently support DPS IP filter rules updates. ### Add an IP filter rule The following template example creates a new IP filter rule named "AllowAll" that accepts all traffic. ```json { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "iotDpsName": { "type": "string", "defaultValue": "[resourceGroup().name]", "minLength": 3, "metadata": { "description": "Specifies the name of the IoT DPS service." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for Iot DPS resource." } } }, "variables": { "iotDpsApiVersion": "2020-01-01" }, "resources": [ { "type": "Microsoft.Devices/provisioningServices", "apiVersion": "[variables('iotDpsApiVersion')]", "name": "[parameters('iotDpsName')]", "location": "[parameters('location')]", "sku": { "name": "S1", "tier": "Standard", "capacity": 1 }, "properties": { "IpFilterRules": [ { "FilterName": "AllowAll", "Action": "Accept", "ipMask": "0.0.0.0/0" } ] } } ] } ``` Update the IP filter rule attributes of the template based on your requirements. | Attribute | Description | | ------------------------ | ----------- | | **FilterName** | Provide a name for the IP Filter rule. This value must be a unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus `{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}` are accepted. | | **Action** | Accepted values are **Accept** or **Reject** as the action for the IP filter rule. | | **ipMask** | Provide a single IPv4 address or a block of IP addresses in CIDR notation. For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255. | ### Update an IP filter rule The following template example updates the IP filter rule named "AllowAll", shown previously, to reject all traffic. ```json {     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",      "contentVersion": "1.0.0.0",      "parameters": {         "iotDpsName": {             "type": "string",             "defaultValue": "[resourceGroup().name]",             "minLength": 3,             "metadata": {                 "description": "Specifies the name of the IoT DPS service."             }         },          "location": {             "type": "string",             "defaultValue": "[resourceGroup().location]",             "metadata": {                 "description": "Location for Iot DPS resource."             }         }            },      "variables": {         "iotDpsApiVersion": "2020-01-01"     },      "resources": [         {             "type": "Microsoft.Devices/provisioningServices",             "apiVersion": "[variables('iotDpsApiVersion')]",             "name": "[parameters('iotDpsName')]",             "location": "[parameters('location')]",             "sku": {                 "name": "S1",                 "tier": "Standard",                 "capacity": 1             },             "properties": {                 "IpFilterRules": [                     {                         "FilterName": "AllowAll",                         "Action": "Reject",                         "ipMask": "0.0.0.0/0"                     }                 ]             }                     }     ] } ``` ### Delete an IP filter rule The following template example deletes all IP filter rules for the DPS instance. ```json {     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",      "contentVersion": "1.0.0.0",      "parameters": {         "iotDpsName": {             "type": "string",             "defaultValue": "[resourceGroup().name]",             "minLength": 3,             "metadata": {                 "description": "Specifies the name of the IoT DPS service."             }         },          "location": {             "type": "string",             "defaultValue": "[resourceGroup().location]",             "metadata": {                 "description": "Location for Iot DPS resource."             }         }            },      "variables": {         "iotDpsApiVersion": "2020-01-01"     },      "resources": [         {             "type": "Microsoft.Devices/provisioningServices",             "apiVersion": "[variables('iotDpsApiVersion')]",             "name": "[parameters('iotDpsName')]",             "location": "[parameters('location')]",             "sku": {                 "name": "S1",                 "tier": "Standard",                 "capacity": 1             },             "properties": {             }                     }     ] } ``` ## Next steps To further explore the managing DPS, see: * [Device Provisioning Service IP addresses](iot-dps-understand-ip-address.md) * [Quickstart: Set up the IoT Hub Device Provisioning Service with Azure CLI](quick-setup-auto-provision-cli.md) * [Control access to Azure IoT Hub Device Provisioning Service (DPS) with shared access signatures and security tokens](how-to-control-access.md)