question

zeeshanmcp12 avatar image
0 Votes"
zeeshanmcp12 asked msrini-MSFT answered

WAF does not block traffic based on IP address

Hi,

I have a web app running on VMSS behind Application Gateway. Azure Firewall is front facing for that application gateway and domain name is also mapped with Azure Firewall public ip address.
This domain name is configured as listener in Application Gateway.

Web Application has login console which we can browse on https://www.contsoso.com/console/admin

I've also attached a WAF (custom policy) with Application Gateway to Allow/Deny the traffic.

I want to allow access on "/console/admin" based on certain IP addresses, for example, if remote address is "1.2.3.4" and requireUri is "/console/admin" then allow access to "login console" otherwise deny for everyone.

Application gateway is running behind Azure Firewall and since it does not send the source IP (requester) imbedded in the request so above rule (with IP address 1.2.3.4) is not working hence "login console" is publicly exposed.

To block the public access of "/console/admin" on Azure firewall, there are not as sophisticated as we want to achieve.

I also followed this article but it didn't work in my case.

Using NSG (and as per my understanding), we cannot create such rule which can block access on path i.e. /console/admin

Please help me whether we can achieve this or not.


azure-application-gatewayazure-web-application-firewall
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@zeeshanmcp12 Thank you for reaching out to Microsoft Q&A.

I understand that you have an Azfw-> WAF+APPGW ->WebApp setup and you want to control traffic based on the IP and path on the AppGW. However, traffic from the Firewall does not show the actual source IP, you are unable to implement this scenario. Please let me know otherwise.

This may be happening because Azure SNATs traffic for all outbound traffic to public IP addresses. To configure Azure Firewall to never SNAT regardless of the destination IP address, use 0.0.0.0/0 as your private IP address range. Here is how to make this change via the Portal. Hope this helps.

If you have any further questions/concerns, please do let us know and we will be glad to assist further. Thank you!

0 Votes 0 ·

Hi @SaiKishor-MSFT

Thank you for your response.

Yes, you are right as I want to block the traffic on WAF based on IP address. In our case, we followed this approach for our solution but due to change in requirements from business side, we cannot achieve our goal.

We will apply your suggested configurations in our subscription. However, as per this MS documentation, we can avoid such situation by using Frontdoor in front of Azure Firewall.

The application can't see the original source IP address of the web traffic; the Azure Firewall SNATs the packets as they come in to the virtual network. To avoid this problem, use Azure Front Door in front of the firewall. Azure Front Door injects the client's IP address as an HTTP header before it enters the Azure virtual network.

...but I haven't found any article or further documentation which can help us to achieve our goal with minimal change in the Architecture. I would appreciate if you can point to any reference.





0 Votes 0 ·

Hi @SaiKishor-MSFT

We tried to follow the suggestion and we might have interpret the SNAT functionality in the Azure Firewall wrongly.
https://docs.microsoft.com/en-us/azure/firewall/snat-private-range we would expect reading the article that since we go outbound from the Azure firewall into the WAF that the Source IP would be imbedded, but in our scenario, we cannot see that’s the situation.

Please suggest a way around.

0 Votes 0 ·
Show more comments

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered

@zeeshanmcp12,

Why do you need an Azure Firewall infront of Application Gateway with WAF enabled? Is there any specific use case that you have for this setup ?

When you try to access Azure Firewall's IP and DNATing to Application Gateway, the source IP of the client is masked and Application Gateway sees the traffic coming from Azure Firewall.

I don't see any need for the Firewall as you have WAF enabled on Application Gateway. With only WAF+Application gateway you can easily achieve this scenario.

For now, you will not be able to achieve your ask with Firewall + WAF+AppGW. Try to remove Firewall from the picture to unblock yourself and submit a feature request to Firewall team to add the Source IP of client as a separate header to forward to destination.

Regards,
Karthik Srinivas

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.