真 川崎 •
Following-up on your comment, adding to Lex Li's suggestions.
When you configure IP restrictions in the Web.config file of an Azure Web App, the IP restriction rules are evaluated before the request is processed by the web application. If the request comes from an unauthorized IP address, the web server will return a 403 Forbidden response.
However, if the request is malformed or the requested resource does not exist, the web server may return a different HTTP status code, such as 400 Bad Request or 404 Not Found. These status codes are not related to the IP restriction rules and are instead related to the request itself.
To determine the cause of the issue, you may need to review the HTTP log entries in more detail to see if there is a pattern or commonality among the requests that are returning 400 or 404.
In general, IP restriction rules work on all incoming requests to the web server, regardless of the requested resource or the HTTP status code that is returned. If a request comes from an unauthorized IP address, the web server will return a 403 Forbidden response, regardless of the requested resource or the HTTP status code that is returned.