Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,939 questions
How to preserve the Client IP that is amended by Azure Front Door, another amendment by App Gateway before reaching Azure APIM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 97%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
Bi Tan
0
Reputation points
Hi,
My setup is configured with Azure Front Door + Azure WAF --> Azure App Gateway + WAF --> Azure API Management.
The diagnostic data logs are kept with Azure Monitor.
I am trying to configure in bound throttling policy on APIM to rate limit user based on IP. However, the Client IP that returns from the logs of APIM seems to be the IP address of App Gateway, and the Client IP that returns from the logs of App Gateway seems to be the IP address of Front Door. Hence, I could not setup any policy on APIM to restrict user access based on IP addresses.
I have reviewed the other Q&A and Microsoft documentation, and is aware that the original Client IP is preserved via a request header X-Forwarded-For when the request is flowing through Front Door --> App Gateway and App Gateway --> APIM.
I have tried the Remove port information from the X-Forwarded-For header solution (both {var_add_x_forwarded_for_proxy} and {var_add_client_ip}) on App Gateway, but the clientIP in the Azure Monitor Logs for App Gateway is still returning Front Door's IPs and APIM is still returning App Gateway's IPs.
Can you please assist and advise how can I preserve/overwrite/create a variable in APIM to be used to setting up an in-bound policy?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,656 Reputation points Microsoft Employee2024-07-17T15:45:52.5833333+00:00 Thank you for reaching out.
Since you have Azure Front Door with WAF configured in your set-up. I wonder if you can use the rate limiting feature of Azure Front Door WAF instead.
Rate limiting for AFD WAF enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting also protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period.
The socket IP address is the address of the client that initiated the TCP connection to Azure Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Azure Front Door. If you have multiple clients that access Azure Front Door from different socket IP addresses, they each have their own rate limits applied.
I think applying the rate limit at Front Door itself will be beneficial here as the request you wish to throttle will not go to any of your other components (App Gateway and APIM) preserving their bandwidth. Please let me know if you have any particular reason to apply the rate limiting at APIM instead. Thank you!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Ben Gimblett 3,845 Reputation points Microsoft Employee2024-07-19T14:15:54.3066667+00:00 +1 to my colleagues comment
It would be better, in this situation, to rate limit at Front Door and this is also more efficient as it is the first (and closest) proxy the client connects toNote: Proxies should append information if an existing XFF header already exists. To my knowledge both Az Front Door and App GW both append if an XFF header already exists
With this in mind it should be possible to extract the original client IP as the first value (from the XFF value) in the delimited list into a variable and then use that (instead of the context object) https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling#ip-address-throttling
Sign in to comment