About IP restrictions for WebApps

真 川崎 196 Reputation points
2023-07-27T01:21:44.99+00:00

I am setting <security> - <ipSecurity> in Web.config of Azure Webapps to limit the IPs that can connect.

403 is returned when there is access from an unauthorized IP.

If you check the HTTP log, there are requests recorded as 400 or 404 due to access from unauthorized IPs.

thought that all accesses from unauthorized IPs would result in 403, but what is the reason for 400 or 404?

It would be helpful if you could let me know if you have any information that will help me find out.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,257 questions
{count} votes

Accepted answer
  1. ajkuma 27,946 Reputation points Microsoft Employee
    2023-08-01T09:31:29.9033333+00:00

    真 川崎

    Following-up on your comment, adding to Lex Li's suggestions.

    When you configure IP restrictions in the Web.config file of an Azure Web App, the IP restriction rules are evaluated before the request is processed by the web application. If the request comes from an unauthorized IP address, the web server will return a 403 Forbidden response.

    However, if the request is malformed or the requested resource does not exist, the web server may return a different HTTP status code, such as 400 Bad Request or 404 Not Found. These status codes are not related to the IP restriction rules and are instead related to the request itself.

    To determine the cause of the issue, you may need to review the HTTP log entries in more detail to see if there is a pattern or commonality among the requests that are returning 400 or 404.

    In general, IP restriction rules work on all incoming requests to the web server, regardless of the requested resource or the HTTP status code that is returned. If a request comes from an unauthorized IP address, the web server will return a 403 Forbidden response, regardless of the requested resource or the HTTP status code that is returned.


1 additional answer

Sort by: Most helpful
  1. Lex Li (Microsoft) 5,847 Reputation points Microsoft Employee
    2023-07-27T05:54:00.4233333+00:00

    When you use web.config to configure Azure App Service, under the hood IIS is used, and the modules in the pipeline take order to handle incoming HTTP requests, as documented in

    https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/introduction-to-iis-architecture#http-request-processing-in-iis

    The module that implements IP restriction rules is not the first module to execute, so any module executed in front of it can return a different error code and exit the pipeline. So, those 400 or 404 errors should be surprising. You can enable diagnostic logging to learn more about the causes, https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#log-detailed-errors


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.