This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Based on this reference, I used Azure Application Gateway (WAF) before Azure Firewall. This is my scenario.
I need to limit access to the web app with specific IPs. I can do with "Custome Role" in WAF policy and my WAF should be "Prevent" mode.
Is there any way to allow access to the web app based on the client's IP without switching to the "Prevent" mod on WAF? with the Firewall or App Restriction?
@AirGordon Thanks for your reply. I used WAf before Firewall and have I client IP in the Azure Firewall? In the reference:
This design is appropriate for applications that need to know incoming client source IP addresses, for example to serve geolocation-specific content or for logging. Application Gateway in front of Azure Firewall captures the incoming packet's source IP address in the X-forwarded-for header, so the web server can see the original IP address in this header.
Is it possible to have access X-Forwarded-For header: ClientPIP in Azure Firewall?
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I am afraid your requirement is not clear to me.
Now, to block certain IPs,
The recommended way here is to keep the App Gateway WAF in Prevention mode and create custom rules to block traffic.
Also, how is the connection established between Azure Firewall and WebApp?
Also, as per @AirGordon 's answer, you can create NSG on the App Gateway subnet and block the IPs while keeping the WAF in detection mode
Cheers,
Kapil
Hi @KapilAnanth-MSFT , Thansk.
The reason for the Detection mode on WAF is, in the current state with Prevent mode I have some issues that I should fix and it needs time (for example two months). So, I'm working on issues with Prevent mode in the development environment, and on another side, in the Stage environment the client tested the web app with WAF detection mode and I received logs.
Yes, I know the Client IP will be changed. I'm looking for a solution to limit.
For your information, direct access to the web app it's not possible and I close it with "Access Restriction" on the web app. Only Firewall and Application Gateway (WAF) can communicate with the web app. So, I think NSG doesn't work here. Is it right?
Understood.
Please note I never suggested direct access to the WebApp.
Instead, I was only curious as to how Azure Firewall and WebApp connectivity is established?
In any case, NSGs should work.
Please note NSG is applied at the App Gateway Subnet. This means,
Hope this helps.
Cheers,
Kapil
@KapilAnanth-MSFT , the connectivity is over the internet.
Let me explain more to clarify:
You mean, I create an NSG and applied it to the App Gateway subnet. Then I can deny traffic-specific IP. Is it right?
@KapilAnanth-MSFT, thanks I tested and it's working. One question, if I have two web apps, is there any way to assign this IP limitation to web app1 and web app2 open from anywhere?
For direct access to the WebApps, you can leverage Access Restrictions to open traffic to WebApp1 and WebApp2 from anywhere
Cheers,
Kapil
@KapilAnanth-MSFT , I mean traffic goes through WAF. Is there any way to add an inbound role for app1 and app2 on NSG?
I think when the location of two apps is the same, it's not possible. But, if the location of the two apps is different it's possible to use "Service Tag" as a destination in NSG.
The scenario is, I have two web apps in EastUS. I added NSG to the AppGw subnet. Now, I want to have only access from 217.10.11.12 to web app1 and web app2 have access from anywhere. Is it possible?
Wrt,
I have two web apps in EastUS. I added NSG to the AppGw subnet. Now, I want to have only access from 217.10.11.12 to web app1 and web app2 have access from anywhere. Is it possible?
No, this is not possible.
Hope this helps.
Cheers,
Kapil.
The simplest way is to leverage a Network Security Group on the Application Gateway subnet, create an inbound rule to specify the IP and another rule to deny other traffic.
As you have Azure Firewall in your architecture, you could also leverage this by creating a rule.
@AirGordon , thanks I tested and it's working. One question, if I have two web apps, is there any way to assign this IP limitation to web app1 and web app2 open from anywhere?
The IP limitation applies to the whole AppGw subnet, not the web apps - so no you couldn't differentiate.