I have the following setup in Azure:
- Public IP address (IPv4)
- Azure Application Gateway (Standard V2)
- V-NET with one subnet. AGW deployed to that subnet with 'Add IPv6 address space' checkbox disabled
- AppServices and Functions as backends
Everything is in West EU region if that matters.
I'm troubleshooting one problem and I noticed that AGW health probe does not contain an origin IPv4 address. I would expect a health probe request to originate from AGW subnet. In fact that's how it works in another environments with similar setups.
I have a simple Azure Function which I'm using for testing, it logs a list of IP addresses in X-Forwarded-From header. Nothing fancy really:
if (request.Headers.TryGetValues("X-Forwarded-For", out var values)){
foreach(var val in values) log.LogInformation($"IP:{val}");
}
- When I call this function directly I can see one IP address there (an IP of my PC).
- When I call the AGW I can see three IPs (My PC's, Cloudflare's and one unknown IPv6 (???)).
- When AGW performs a health probe I can see just one IPv6 entry (same as above)
Where does this IPv6 (fde4:8dba:1200:xxxx:xxxx:xxx:xxxx:x, looks like a ULA to me) address come from? Why don't I see an IPv4 address from the Subnet range?
And how can I enforce the IPv4 address to be present?
This situation breaks my IIS IP restriction rules.
I know I can whitelist IPv6 too:
<add ipAddress="2001:4898:2a:5:c4ad:9291:22b1:c870" subnetMask="ffff:ffff::" allowed="true" />
but that doesn't solve the mystery.
