0

my scenario looks like this:

  • An Application Gateway for my data center:
  • A backend pool where I have two servers with 5 web sites (a.com, b.com and c.com)
  • Another backend pool where I have two servers with 5 web sites (e.com, f.com and g.com)

In my backend pool I have blocks so that some external IPs do not access the web site (a.com), while all other sites (b.com and c.com) can be accessed by any external source.

The Application Gateway documentation says that the external (Client IP) is not visible to the backend pool, as the (Client IP) that arrives at the backend pool is the IP of the Application Gateway subnet.

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway at (Application Gateway only)

"Ref Doc Azure.: That is, Application Gateway terminates the web session from the client, and establishes a separate session with one of its backend servers."

That is, the IPs that I will see on my IIS are from the Application Gateway subnet.

This way, at the IIS level, I can't do this type of restriction, because I can't filter external IPs as I always did without using the Application Gateway.

Is there an alternative to doing this blocking either via Application Gateway or another Azure layer?

Remembering that on the same application gateway I work with multisite.

Thank you.

Sandro Alves
  • 9
  • 1
  • Did you solve this issue? I'm facing a similar problem https://stackoverflow.com/questions/72407809/implement-azure-waf-ip-restriction-on-specific-sub-domains – RikRak May 27 '22 at 16:31

1 Answers1

0

The IP the traffic comes from will always be the App Gateway IP, there isn't really anything you can do to change this, and it would be the same with other Azure services like front door.

However, App Gateway does add a header to the request called "X-Forwarded-For" which does contain the clients source IP, so if you can filter based on this you can do the same thing.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113