Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,086 questions
How to preserve client IP address in a network architecture that utilized CDN > Application Gateway.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 52%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Guo Sheng Teh
0
Reputation points
Hi guys,
I currently have a setup that accepts client request from CDN and forward to application gateway in front of a backend server.
The problem now is due to security concerns, I would like to obtain client IP addresses from application gateway's logs. All the request origin was shown and logged as CDN ip address instead of actual IP address of client side.
May I know any ways that I can configure my CDN and allow application gateway to get client's IPs? I know there is a technique called request headers modification and stuff about x-forwarded. Do anyone have any suggestions on this?
Appreciate your time and help to look into this!
{count} votes
-
Deepanshukatara-6769 10,690 Reputation points2024-08-23T06:56:38.2533333+00:00 Hello , Welcome to MS Q&A
To configure your Azure CDN and Application Gateway to log client IP addresses instead of CDN IP addresses, you can use the
X-Forwarded-Forheader. This header is added by the CDN to the request and contains the original client IP address. Here are the steps to achieve this:Enable
X-Forwarded-ForHeader:- Ensure that your CDN is configured to include the
X-Forwarded-Forheader in the requests it forwards to the Application Gateway. This header will contain the original client IP address.
Configure Application Gateway:
- Configure your Application Gateway to log the `X-Forwarded-For` header. This can be done by setting up custom logging in your Application Gateway to extract the client IP address from the `X-Forwarded-For` header. **Update Logging Solution**: - Ensure that your logging solution is set up to parse and log the `X-Forwarded-For` header. This will allow you to see the original client IP addresses in your logs.For more detailed information, you can refer to the following articles:
- Manage a public IP address with an Azure Application Gateway
- How an application gateway works
- Application gateway components
By following these steps, you can ensure that the client IP addresses are logged correctly in your Application Gateway logs.
Please let us know if any further questions
Kindly accept answer if it helps
Thanks
Deepanshu - Ensure that your CDN is configured to include the
-
Guo Sheng Teh 0 Reputation points
2024-08-26T09:21:44.5966667+00:00 Hi Deepanshu,
Thank you for your time reaching out and commenting the solution.
I have gone through many articles and MS documentation regarding the HTTP request headers modifications and about the rule engine.
However, I still don't know how should I configure my CDN to modify all the incoming requests (assuming all are client's requests) to append the
x-forwarded-forheaders into it. To be more specific, how should I configure the rules....Furthermore, I know we must ensure that our logging solution able to catch
x-forwarded-fordata when we search for it. My question is how can I configure AppGateway logging to accept the metadata or I probably need OMS to check for the logs in CDN directly?Thanks again!
Dex
-
KapilAnanth-MSFT 47,201 Reputation points Microsoft Employee2024-08-28T09:50:49.82+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to know how you can preserve the Client IP in your Azure CDN.
Azure CDN from Microsoft should do this by default
- See : Debug HTTP header for Azure CDN from Microsoft
- Also, per this document, HTTP headers supported in Azure CDN, see Azure Front Door to backend.
-
Wrt Application Gateway logging,
- No custom logging is supported
- However, the HTTP headers should be passed on to your actual application.
- This means, your application can leverage the X-Forwarded-For header directly without logging it.
Hope this adds more clarity
Cheers,
Kapil
Sign in to comment
Sign in to answer