Share via

Does ip-filter Policy Expression validate actual Client IPs when the requests are funnelled through AppGateway/Front Door?

Kumar 111 Reputation points
2022-09-20T19:59:01.977+00:00

We are planning to use ip-filter policy expression to restrict client IPs that can access an APIM. We have the current setup

ExternalClient1 - Front Door - Application Gateway - APIM
ExternalClient2 - Application Gateway - APIM

Just curious, if ip-filter expression can verify the actual ClientIPs even if the requests are funneled via AppGateway and/or FrontDoor (or)
does ip-filter expression can only verify the AppGateway or FrontDoor IPs?

Please Clarify.

Thanks
Kumar

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,446 questions
0 comments
Accepted answer
  1. Takahito Iwasa 4,851 Reputation points MVP Volunteer Moderator
    2022-09-20T23:09:34.58+00:00

    Hi, @Kumar

    In general, when using an L7 reverse proxy, the client IP address will be the Front Door or Application Gateway instance IP address.

    Therefore, I think it is necessary to use the HTTP header X-Forwarded-For to determine the client IP address on the backend.

    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol

    In that case, I think you should check using the check-header policy instead of ip-filter.

    https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#CheckHTTPHeader

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.