I've used the below PS script to apply a basic deny all ACL to a freshly created HTTP endpoint. This is just to test if it works, I will later permit various subnets. I've tried creating the endpoint via PS or the Azure console.
The script runs without error and provides the response below.
# Script to apply deny all to existing endpoint.
# Get ACL config on existing AzureEndpoint
$acl = Get-AzureVM -ServiceName "ServiceName" -Name "Name" | Get-AzureAclConfig -EndpointName "HTTP"
# Set ACL on existing endpoint
Set-AzureAclConfig -AddRule -ACL $acl -Order 0 -Action Deny -RemoteSubnet "0.0.0.0/0" -Description "DenyAll"
# Update Azure
Get-AzureVM -ServiceName "ServiceName" -Name "Name" | Set-AzureEndpoint -Name "HTTP" -ACL $acl | Update-AzureVM
Response
RuleId : 0
Order : 0
Action : Deny
RemoteSubnet : 0.0.0.0/0
Description : DenyAll
OperationDescription : Update-AzureVM
OperationId : c844080c-4aa1-2d43-98fd-4cc93e999256
OperationStatus : Succeeded
Test 1
The result of this command is an empty ACL field.
Get-AzureVM -ServiceName "ServiceName" -Name "Name" | Get-AzureEndpoint -Name "HTTP"
LBSetName :
LocalPort : 80
Name : HTTP
Port : 80
Protocol : tcp
Vip : 137.xxx.yyy.zzz
ProbePath :
ProbePort : 0
ProbeProtocol :
ProbeIntervalInSeconds :
ProbeTimeoutInSeconds :
EnableDirectServerReturn : False
Acl : {}
Test 2
This command produces a nul response, no errors, nothing.
Get-AzureVM -ServiceName "ServiceName" -Name "Name" | Get-AzureAclConfig -EndpointName "HTTP"
Browsing Test
I can still browse the web site which pretty clearly shows the Deny all ACL is not applying.
Other solutions
I know I can apply filtering with IIS and the Windows Server but I really want to be able to apply ACLs directly on the Endpoint.
I'm on a Free Trial (in the SE Asia region), so am wondering if this is something that doesn't work on the free trial?
I'm starting to wonder if I have uncovered a bug or probably more likely I'm doing something wrong.