0

Good day,

As we know, creating IP based TLS binding (contrary to SNI binding) allocates a dedicated IP address to App Service webapp. But it still remains accessible via the IP shared with other webapps (including webapps of other customers).

In some situations I'd prefer to allow traffic via the dedicated IP only, blocking traffic via the shared one. Is it possible somehow to unbind the webapp from the shared endpoint?

(Why would I prefer this? Let's say, I place a some WAF-as-a-service in front of this app, so it would inspect the traffic. I can use Access Restrictions to limit access to my app for WAF address ranges only, but this won't help, if an attacker opens an account on the same WAF and points his own site to my IP. A remedy for this - the WAF service can register this IP as dedicated for my account, so other WAF users won't be able to point their sites to it. But, of course, I cannot do this with the shared Azure IP, because then legitimate WAF users having sites on Azure App Services will be affected).

Thanks, Mucius.

Cat Mucius
  • 145
  • 1
  • 11

1 Answers1

0

Apparently, it's cannot be done without additional components. But if I do this:

  • place Application Gateway or some firewall on a IaaS VM (or even some plain VM with port forwarding enabled) in a VNET subnet,
  • bind my webapp to the same VNET,
  • use "Access Restrictions" to allow traffic to my webapp only from Gateway's subnet,
  • attach NSG to this subnet and use it to allow incoming traffic from CDN's ranges only,
  • and the point the CDN to public IP of this Gateway -

then this problem is solved, since Gateway's IP is not shared with other customers.

Cat Mucius
  • 145
  • 1
  • 11