Geolocation for AppGW WAF blocking all traffic

Farzana Mustafa 81 Reputation points
2022-11-13T22:08:00.81+00:00

Hello,

We have created a custom rule for AppGW WAF policy to only allow traffic from two regions.
259886-image.png

When we set this rule to Deny, it blocks all the traffic originating from the two regions.

Logs show Action: Blocked - Message: Access denied with code 403. Found condition 0 in RemoteAddr, with value x.x.x.x (XX)

The remote IP addresses seem to be all from Microsoft DCs located outside the two regions. For example, 205.210.31.31, 147.243.135.105 etc. We have configured everything in Azure and Azure Devops in the two regions only.

Any idea where these IPs are coming from and how to fix the issue, ie. allow traffic only from the two regions?

Thanks in advance.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
938 questions
Azure Web Application Firewall
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
776 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ronen Ariely 15,081 Reputation points
    2022-11-13T23:45:21.967+00:00

    Hi,

    Any idea where these IPs are coming from

    This is simple to answer using ip lookup online tools like this (you can check any IP you want in the same way):
    https://whatismyipaddress.com/ip/205.210.31.31

    Hostname: 205.210.31.31
    ASN: 396982
    ISP: Palo Alto Networks Inc
    Services: Datacenter
    Assignment: Likely Static IP
    Country: United States
    State/Region: California
    City: Santa Clara

    When we set this rule to Deny, it blocks all the traffic originating from the two regions.

    This is the expected behavior.

    The remote IP addresses seem to be all from Microsoft DCs located outside the two regions. For example, 205.210.31.31, 147.243.135.105 etc.

    Are you saying that these IP are denied and they are outside the two regions?

    Can another role be the source of this deny maybe? Maybe these simply not in the Azure and therefore denied...

    For example, 205.210.31.31, 147.243.135.105 etc.

    You configured rule based on "Geo Location" and not by IP.

    Who told you that these IP are related to a service from Azure?

    I checked a few IP Lockup tools and none of them recognize it as Azure IP

    The source IP might be in a different area in the world but not in Azure datacenter.

    The ranges of IP which Azure uses is not a secret and you can download all the the information in a JSON file from here:

    https://www.microsoft.com/en-us/download/details.aspx?id=56519

    I downloaded the file and I do not find these IP in any range, but maybe I missed it.

    There is no range that start with 205 (but maybe there is a wider range which include all these IP)

    Instead of setting Deny rule, you should deny all and set an Accept role. Set an approve role for the regions which you want to approve. It is much more secure and might solve your issue as well.

    how to fix the issue, ie. allow traffic only from the two regions?

    This is exactly NOT what you did. You denied traffic from the two region and not "allow traffic only from the two regions"

    Change the role to "Allow Traffic" for this result