Best practice to whitelist clientIP in multisite WAF for a single web application

sindhu sneha 150 Reputation points
2023-07-27T09:46:39.1766667+00:00

In our organization they use multi site WAF with shared subnet for each environment, Best way to whitelist client IP in a particular webapp services (Frontend Ip -Public )

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,777 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Azure Web Application Firewall
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,975 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-07-27T11:41:55.27+00:00

    Hello @sindhu sneha ,

    I understand that you would like to know the best practice to whitelist client IPs in Application gateway WAF.

    You can configure IP restriction on Azure Application gateway to allow access to a few sources IPs by using NSG on the Application Gateway subnet.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips

    In case you are using Application Gateway WAF V2, you can use WAF V2 Custom rules to whitelist IP addresses.

    Please refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    The Azure Application Gateway Web Application Firewall (WAF) v2 can be associated to a WAF policy which contain all the WAF settings and configurations. This includes exclusions, custom rules, managed rules, and so on. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF.

    Allowing and blocking traffic is simple with custom rules. For example, you can allow/block all traffic coming from a range of IP addresses.

    To allow something, ensure that the -Action parameter is set to Allow. To block something, ensure that the -Action parameter is set to Block.

    You can create a Custom rule on Azure Application Gateway WAF v2 to block all requests from an IP address/range.

    You can use the "RemoteAddr" variable which is the IPv4 Address/Range of the remote computer connection with operator IPMatch to create such a rule and block all requests from a particular IP address and range.

    Example reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-3

    To create custom rules, you first need to create a Web Application Firewall policy for Application Gateway.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag

    Once the WAF policy is created, you can create a custom rule as per your requirement and associate the policy to your Application gateway.

    You can associate the WAF policy to any of the below combination:

    • Your application gateway - When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
    • Any specific listener - With per-site WAF policies, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.
    • Any path-based rules - If there are certain pages within a single site that require different policies, you can make changes to the WAF policy that only affect a given URI. Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.