Allow access through WAF only for whitelisted IPs

Raphael Pereira 20 Reputation points
2024-05-27T19:21:18.7+00:00

I have an Azure Application Gateway where I manage a few client domains. I have a few production and staging domains routed to this application gateway, which I manage where I need them to be pointed to.

When I was working with the domains pointed directly to my servers, I had the ability to configure directly in the servers the IPs I wanted to be allowed on those servers. Using the application gateway, that isn't possible, since all traffic reaches the server with the application gateway IP as source.

What happens is that I need all domains that contain "staging" in their name to be accessible only by a list of whitelisted IPs.

Is there a way to set this up with a custom WAF rule?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
990 questions
Azure Web Application Firewall
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,526 Reputation points Microsoft Employee
    2024-05-28T12:39:48.1833333+00:00

    Hello @Raphael Pereira ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like all your Application gateway domains that contain "staging" in their name to be accessible only by a list of whitelisted IPs.

    This is possible via custom WAF rule as you mentioned.

    Allowing and blocking traffic is simple with custom rules. For example, you can block all traffic coming from a range of IP addresses.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-5

    As mentioned by @Michael Cameron above, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.

    You can have separate WAF policies (one for each listener) to customize the exclusions, custom rules, managed rule sets, and all other WAF settings for each site.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview#per-site-waf-policy

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies

    So, you can associate WAF policies to all listeners with "staging" domain name with custom WAF rules to allow the IP addresses you need.

    The best way to whitelist the IP addresses is to create a custom WAF rule with all the IP addresses with operation "does not contain" and condition as "Deny" as below:

    User's image

    Refer: https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

    https://learn.microsoft.com/en-us/answers/questions/1179573/how-to-define-ip-whitelist-in-azure-application-ga

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Michael Cameron 502 Reputation points
    2024-05-27T20:44:50.3233333+00:00

    Yes. You could use WAF policies, I think this describes what you want: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies

    Does that help?

    0 comments No comments

  2. Raphael Pereira 20 Reputation points
    2024-05-28T15:00:30.8833333+00:00

    Hi and @Michael Cameron, thanks for your reply.

    I have created the custom WAF policy, but I can't see where I'd be able to attach it to my listeners in the UI. Is this something only doable using the CLI? I've figured it out, thanks again for the support. Creating the WAF policy as a Regional WAF directly from the Resources Creation screen enabled the association with the Listeners.

    0 comments No comments