In this post (as of January 10th) Allen Chen says it does not. However, it seems like the other poster indicates that it does (at least in the dev fabric). Does anyone know if this is supported.
My hope is to restrict access via IP address to my staging and dev sites. Adding this to the respective web.config's would be the easiest way.
I don't believe it is settable today in the webrole. Checking the applicationHost.config, I see that ipSecurity is set to disallow override, which means you cannot set it at the web.config level. That being said, if you take over the IIS process via Hosted Web Core (see code.msdn.microsoft.com/hwcworker), you can change the applicationHost.config and it might just work.
I ended up just creating an httpmodule and filtered using that. I used Scott Hanselman's solution here as a starting point: http://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx
It worked like a charm and provide a lot of flexibility. Thanks Scott.