Share via

Azure Web App Access Restrictions not working with Zscaler (ZIA / ZPA) – Getting 403 Forbidden

Aniket Thorat 15 Reputation points
2025-12-16T07:50:57.0433333+00:00

Hi

I have an Azure Web App (App Service) that I want to restrict so it can be accessed only from my company network, which is protected by Zscaler.

What I am trying to achieve

Allow access to the Azure Web App only when users are connected through Zscaler

Block access from all other public networks

This is an internal company application (not public)

Current Setup

Azure Web App (Public endpoint)

Access Restrictions configured under: Networking → Access Restrictions (Inbound rules)

Zscaler is used by my organization:

Zscaler Internet Access (ZIA)

  **Zscaler Private Access (ZPA)**

What I have tried

Added my mobile network public IP to Azure Web App Access Restrictions → ✅ This works as expected

Added Zscaler ZIA IP addresses

Tried aggregated IP ranges

  Tried **region-wise IP ranges** → ❌ Application returns **403 Forbidden**
  
  Added **ZPA-related IP ranges** as well → ❌ Still getting **403 Forbidden**
  
  Verified that traffic is going through Zscaler (via client connector)

Observed Behavior

When accessing the app from a normal public IP that is whitelisted → works

When accessing the app from a machine connected to Zscaler → blocked with 403 Forbidden

  • It appears that Azure Web App is not recognizing Zscaler traffic as coming from the whitelisted IP ranges
    Please help how i can solve the issue
Azure Network Function Manager

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-16T07:51:12.0733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To troubleshoot the issue with your Azure Web App access restrictions when using Zscaler, consider the following points:

    1. IP Address Recognition: When using Zscaler, the original client IP may not be passed through to Azure Web Apps as expected. Zscaler typically uses its own IP addresses to route traffic, which can lead to the Azure Web App not recognizing the original client IP as belonging to the allowed list. This is likely why you are receiving a 403 Forbidden error.
    2. X-Forwarded-For Header: Ensure that Zscaler is configured to forward the original client IP address in the X-Forwarded-For header. Azure Web Apps can use this header to identify the original client IP. If this is not set up correctly, Azure will only see the Zscaler IP addresses.
    3. Zscaler Configuration: Verify that your Zscaler configuration allows the original IP to be forwarded correctly. You may need to consult Zscaler documentation or support to ensure that the traffic is being routed properly and that the original IP is preserved.
    4. Testing with Known IPs: As a test, try accessing the Azure Web App from a machine that is not behind Zscaler but uses a known IP address that you have whitelisted. This will help confirm if the issue is specifically related to how Zscaler handles the IP addresses.
    5. Access Restrictions: Double-check the access restriction rules in your Azure Web App to ensure that they are set up correctly. Make sure that the rules are in the right order and that there are no conflicting rules that might cause the 403 error.

    If after these checks the issue persists, you may need to engage with both Azure support and Zscaler support to further diagnose the problem, as it may require specific configurations on either side to work seamlessly.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.