WAF does not block traffic based on IP address

Zeeshan 26 Reputation points
2021-09-23T12:54:36.037+00:00

Hi,

I have a web app running on VMSS behind Application Gateway. Azure Firewall is front facing for that application gateway and domain name is also mapped with Azure Firewall public ip address.
This domain name is configured as listener in Application Gateway.

Web Application has login console which we can browse on https://www.contsoso.com/console/admin

I've also attached a WAF (custom policy) with Application Gateway to Allow/Deny the traffic.

I want to allow access on "/console/admin" based on certain IP addresses, for example, if remote address is "1.2.3.4" and requireUri is "/console/admin" then allow access to "login console" otherwise deny for everyone.

Application gateway is running behind Azure Firewall and since it does not send the source IP (requester) imbedded in the request so above rule (with IP address 1.2.3.4) is not working hence "login console" is publicly exposed.

To block the public access of "/console/admin" on Azure firewall, there are not as sophisticated as we want to achieve.

I also followed this article but it didn't work in my case.

Using NSG (and as per my understanding), we cannot create such rule which can block access on path i.e. /console/admin

Please help me whether we can achieve this or not.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
960 questions
Azure Web Application Firewall

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2021-11-04T06:42:01.35+00:00

    @ Zeeshan ,

    Why do you need an Azure Firewall infront of Application Gateway with WAF enabled? Is there any specific use case that you have for this setup ?

    When you try to access Azure Firewall's IP and DNATing to Application Gateway, the source IP of the client is masked and Application Gateway sees the traffic coming from Azure Firewall.

    I don't see any need for the Firewall as you have WAF enabled on Application Gateway. With only WAF+Application gateway you can easily achieve this scenario.

    For now, you will not be able to achieve your ask with Firewall + WAF+AppGW. Try to remove Firewall from the picture to unblock yourself and submit a feature request to Firewall team to add the Source IP of client as a separate header to forward to destination.

    Regards,
    Karthik Srinivas

    0 comments