0

I'm trying to implement a blacklist/blocklist of IPs in Azure App Service. I created a series of firewall rules that blocked specific IPs, I then added a rule that allowed all IPs (0.0.0.0/0) as a lower priority rule. My assumption was that the higher priority deny rule for specific IPs would block, if none of the deny rules matched than it would allow.

What I found was that all traffic was still allowed, that the deny rule was ignored. Is denying specific IPs while allowing all other traffic not possible or do I need to setup in a different way?

Also, I did try remove the Allow IPs rule, but received a 403 from an IP that wasn't being blocked.

Example of rule setup (note the IP is from a comment spammer, so don't try to resolve): enter image description here

Josh
  • 651
  • 2
  • 6
  • 15

1 Answers1

0

How you had it configured, with explicit deny rules and then an allow rule with a lower priority is the correct method, and is documented here. A couple of things I would check:

  1. Is your allow rule definitely the lowest priority
  2. Is your deny rule actually covering the IP or range that your traffic is coming from
Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • Yes, that is what I tried, I've put in a screenshot into the question to show how I have it setup. – Josh Aug 13 '20 at 12:31
  • @Josh The rules are “matched” in priority order from lowest to highest. The first one to match, applies. In your screenshot, you appear to have it setup correctly (assuming you’ve entered the correct IP to block). – Greg W Sep 15 '20 at 21:36