Allow access through WAF only for whitelisted IPs

Question

I have an Azure Application Gateway where I manage a few client domains. I have a few production and staging domains routed to this application gateway, which I manage where I need them to be pointed to.

When I was working with the domains pointed directly to my servers, I had the ability to configure directly in the servers the IPs I wanted to be allowed on those servers. Using the application gateway, that isn't possible, since all traffic reaches the server with the application gateway IP as source.

What happens is that I need all domains that contain "staging" in their name to be accessible only by a list of whitelisted IPs.

Is there a way to set this up with a custom WAF rule?

Answer 1

Hello @Raphael Pereira ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like all your Application gateway domains that contain "staging" in their name to be accessible only by a list of whitelisted IPs.

This is possible via custom WAF rule as you mentioned.

Allowing and blocking traffic is simple with custom rules. For example, you can block all traffic coming from a range of IP addresses.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-5

As mentioned by @Michael Cameron above, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.

You can have separate WAF policies (one for each listener) to customize the exclusions, custom rules, managed rule sets, and all other WAF settings for each site.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview#per-site-waf-policy

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies

So, you can associate WAF policies to all listeners with "staging" domain name with custom WAF rules to allow the IP addresses you need.

The best way to whitelist the IP addresses is to create a custom WAF rule with all the IP addresses with operation "does not contain" and condition as "Deny" as below:

Refer: https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

https://learn.microsoft.com/en-us/answers/questions/1179573/how-to-define-ip-whitelist-in-azure-application-ga

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Yes. You could use WAF policies, I think this describes what you want: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies

Does that help?

Answer 3

Hi and @Michael Cameron, thanks for your reply.

I have created the custom WAF policy, but I can't see where I'd be able to attach it to my listeners in the UI. Is this something only doable using the CLI? I've figured it out, thanks again for the support. Creating the WAF policy as a Regional WAF directly from the Resources Creation screen enabled the association with the Listeners.