403 Forbidden Error When Accessing Specific URL via Custom Domain on Azure App Gateway

sindhu sneha 150 Reputation points
2023-08-26T17:23:29.33+00:00

I am currently facing an issue with an Azure application gateway setup and would greatly appreciate any insights or suggestions.

Issue Description: I have set up an application gateway to manage traffic for an Azure App Service, and we have associated a custom domain name with this setup. Most of the endpoints under the custom domain work perfectly fine, but I am encountering a peculiar issue with one specific URL (endpoint). When attempting to access this particular URL, I consistently receive a "403 Forbidden" error.

Observations:

The curious part is that I can access the same URL without any issues using the azurewebsites.net domain provided by Azure, but the problem arises only when using our organization's custom domain.

Troubleshooting Steps Taken:

I have examined and tried implementing CORS policies, but this doesn't seem to be the root cause as other endpoints are accessible without any problems.

I have also experimented with custom policies, hoping to enable access, but this approach also didn't yield the desired outcome.

There are no access restrictions or private endpoints configured that could be causing this issue.

All other endpoints under the custom domain are accessible as expected.

Seeking Assistance: Given the circumstances, I am reaching out to the community to seek guidance on this matter. Has anyone else encountered a similar issue? Could there be any particular configuration or setting that might be influencing this behavior? Any suggestions or experiences shared would be immensely valuable in resolving this challenge.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
964 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,949 questions
Accepted answer
  1. KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee
    2023-08-28T07:41:09.6866667+00:00

    @sindhu sneha

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are receiving 403 Forbidden while accessing your website via Application gateway.

    It is possible that the 403 is either coming from the App gateway or the App Service itself.

    I note that you did mention azurewebsites.net domain does not throw this error, indicates the error is coming from Azure App gateway WAF.

    However, to be sure, let's please check both the logs.

    • Do you have the WAF in prevention mode or detection mode?
      • If it's in Prevention mode, does keeping it in Detection mode help?
    • Did you check both the WAF Logs and Access Logs?
      • Enable Logs : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics 
            - Check Access Logs : [https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#access-log](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#access-log)

                         - Check WAF Logs : [https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log)
    • Do you check which Managed Rule is getting hit?
    • If WAF logs are not capturing, it means the 403 is coming from the App service itself, and should be visible in Access Logs.

    You confirmed that setting the WAF in Prevention Mode resolved the issue

    I suggested, this will make your Application Gateway vulnerable to attacks as disabling the WAF entirely (i.e, moving to prevention mode) will disable all the Core Rules which opens other threats.

    Instead, you should only disable the rule in the CRS Rules Set that causes 403 and not the entire WAF

    You can do this by following : Customize Web Application Firewall rules

    To find out which Rule is being triggered, you must use the WAF Logs

    User's image

    In addition to disabling a Rule, you can also consider,

    • Custom rules
    • These rules hold a higher priority than the rest of the rules in the managed rule sets. If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated
    • Create Exclusions List
    • WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal. You can configure a WAF exclusion for certain request attributes.

    Custom Rules and Exclusion Lists are dependent on your application and you should work with your application team to arrive at the correct configuration.

    So, you can consider disabling a Rule for easy configuration and overhead.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jonas Nordtorp Olesen - Dronevolt 5 Reputation points
    2024-03-15T12:06:47.33+00:00

    For anyone who stumbles upon this issue. I had the same problem, but it wasn't my waf that blocked the request.

    My app service was behind a private endpoint, and i had not linked the vnet for my application gateway to the private dns zone that resolves the privatelink fqdn for the private endpoint. I confirmed this by changing the backend pool to point directly to the private endpoint ip.

    1 person found this answer helpful.
    0 comments