![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 43%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
779 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 77%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
Hello @Mohsen Akhavan ,
I understand that you would like to know how to block IP addresses (Client IP) in Azure Application gateway (WAF).
You can configure IP restriction on Azure Application gateway to allow access to a few sources IPs by using NSG on the Application Gateway subnet.
In case you are using Application Gateway WAF V2, you can use WAF V2 Custom rules to whitelist/block IP addresses.
Please refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
The Azure Application Gateway Web Application Firewall (WAF) v2 can be associated to a WAF policy which contain all the WAF settings and configurations. This includes exclusions, custom rules, managed rules, and so on. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF.
Allowing and blocking traffic is simple with custom rules. For example, you can allow/block all traffic coming from a range of IP addresses.
To allow something, ensure that the -Action parameter is set to Allow. To block something, ensure that the -Action parameter is set to Block.
You can create a Custom rule on Azure Application Gateway WAF v2 to block all requests from an IP address/range.
You can use the "RemoteAddr" variable which is the IPv4 Address/Range of the remote computer connection with operator IPMatch to create such a rule and block all requests from a particular IP address and range.
Example reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-3
To create custom rules, you first need to create a Web Application Firewall policy for Application Gateway.
Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag
Once the WAF policy is created, you can create a custom rule as below:
Associate the WAF policy to any of the below combination:
- Your application gateway - When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
- Any specific listener - With per-site WAF policies, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.
- Any path-based rules - If there are certain pages within a single site that require different policies, you can make changes to the WAF policy that only affect a given URI.
Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 24%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)