Best practice to whitelist clientIP in multisite WAF for a single web application

Question

Best practice to whitelist clientIP in multisite WAF for a single web application

sindhu sneha 150

Our Organization has a multisite WAF which shares common subnets for each environment , Which would be a best way to whitelist client IP in a secure way .(using a public IP in frontend IP )for a particular webapp .

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-07-27T13:50:31.7166667+00:00

@sindhu sneha - thanks for the question, would it be possible for you to provide some more detail please? to help the contributors here answer more precisely
sindhu sneha 150 Reputation points

2023-07-27T14:08:54.06+00:00

Hi Ben Gimblett

Thanks for reaching out . We have a application gateway which is multisite for different web app services . There is a proxy server web app configuration which requires client Ip to be added .We have public ip in frontend ip since their services also required other cloud support .I wanted to confirm whether by creating a custom rule for adding client IP is the only way or which is the best way to achieve this scenario
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-07-27T14:49:09.6+00:00

Hey @sindhu sneha
So you have an App Gateway proxying client traffic from the App Gateway front end IP (public) through a multi-site listener , allowing you to filter on hostheaders and route accordingly

You can allowlist (whitelist) client traffic into the App Gateway (if you wish to) using an NSG

You can have the app gateway connect to the backend web apps via private endpoints - if you do that the web apps dont need any ACLs , but you can again use NSG if you wish for the subnet the private endpoints are deployed to

You could also have comms between the Application Gateway and Web App via the Web App public endpoint. In this case you can use the web app software firewall (for each web app) to limit incoming comms to the gateway

For a WAF enabled gateway it doesnt make sense to allow data plane traffic to bypass the gateway, and go direct to the web app, because that de-values the effectiveness of the WAF (obviously :) )

You can also lock down downstream services to the web app. For example suppose the web app calls a SQL backend - you can either establish comms using web app vnet integration towards as private endpoint (for SQL DB PaaS) or you could add an ACL for the SQL DB PaaS software firewall to lock down comms only to the web app outgoing IPs, however the outbound IPs are shared (your traffic, and other customers sharing the stamp) so care is required when doing that.

Does this answer the question, or is there another requirement you're looking towards here? Please let me know
sindhu sneha 150 Reputation points

2023-07-27T16:55:15.3433333+00:00

HI Ben Gimblett

To be very precise ,I have two Azure web apps, A and B, which are integrated with an Azure Virtual Network using VNet Integration. Both app services have private endpoints enabled, and public access is disabled. Additionally, they are both configured with multi-site support in Azure Application Gateway WAF V2 tier, enabling them to be accessed through the internet.

To meet my requirement, I need to allow access to my Azure App Service A only from a specific client subnet in GCP's Virtual Private Cloud and remove public access for App Service A.

Can you suggest for the solution. Thanks in advance

Accepted answer

0 additional answers

Your answer

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-07-27T13:50:31.7166667+00:00

@sindhu sneha - thanks for the question, would it be possible for you to provide some more detail please? to help the contributors here answer more precisely
sindhu sneha 150 Reputation points

2023-07-27T14:08:54.06+00:00

Hi Ben Gimblett

Thanks for reaching out . We have a application gateway which is multisite for different web app services . There is a proxy server web app configuration which requires client Ip to be added .We have public ip in frontend ip since their services also required other cloud support .I wanted to confirm whether by creating a custom rule for adding client IP is the only way or which is the best way to achieve this scenario
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-07-27T14:49:09.6+00:00

Hey @sindhu sneha
So you have an App Gateway proxying client traffic from the App Gateway front end IP (public) through a multi-site listener , allowing you to filter on hostheaders and route accordingly

You can allowlist (whitelist) client traffic into the App Gateway (if you wish to) using an NSG

You can have the app gateway connect to the backend web apps via private endpoints - if you do that the web apps dont need any ACLs , but you can again use NSG if you wish for the subnet the private endpoints are deployed to

You could also have comms between the Application Gateway and Web App via the Web App public endpoint. In this case you can use the web app software firewall (for each web app) to limit incoming comms to the gateway

For a WAF enabled gateway it doesnt make sense to allow data plane traffic to bypass the gateway, and go direct to the web app, because that de-values the effectiveness of the WAF (obviously :) )

You can also lock down downstream services to the web app. For example suppose the web app calls a SQL backend - you can either establish comms using web app vnet integration towards as private endpoint (for SQL DB PaaS) or you could add an ACL for the SQL DB PaaS software firewall to lock down comms only to the web app outgoing IPs, however the outbound IPs are shared (your traffic, and other customers sharing the stamp) so care is required when doing that.

Does this answer the question, or is there another requirement you're looking towards here? Please let me know
sindhu sneha 150 Reputation points

2023-07-27T16:55:15.3433333+00:00

HI Ben Gimblett

To be very precise ,I have two Azure web apps, A and B, which are integrated with an Azure Virtual Network using VNet Integration. Both app services have private endpoints enabled, and public access is disabled. Additionally, they are both configured with multi-site support in Azure Application Gateway WAF V2 tier, enabling them to be accessed through the internet.

To meet my requirement, I need to allow access to my Azure App Service A only from a specific client subnet in GCP's Virtual Private Cloud and remove public access for App Service A.

Can you suggest for the solution. Thanks in advance

Answer 1

Ben Gimblett 4,560 Microsoft Employee

Hey @sindhu sneha -

OK - so you cant use NSG as that would apply to the whole gateway and the gateway covers more than one site each with different requirements ... So ... A combination of "per site" WAF policy + custom waf rule to block by client ip as detailed in the Q&A here https://learn.microsoft.com/en-us/answers/questions/1141185/how-to-block-ip-address(client-ip)-in-azure-applic

sindhu sneha 150 Reputation points

2023-07-29T09:19:52.53+00:00

@Ben Gimblett Thanks for the solution

Share via

Best practice to whitelist clientIP in multisite WAF for a single web application

0 additional answers

Your answer