1

We use the Azure TrafficManager and we have certain endpoints that would like to check the provenance/referer domain of incoming calls (raw IPs being a bad idea in the cloud in any case) I am wondering if or how TrafficManager handles the outbound requests and what the endpoint sees as the sender's domain in the request from my Azure Websites and their WebJobs.

If I have a trafficmanger.domain.com and two servers, failover1.azurewebsites.net and failover2 behind it, what will and endpoint see when my failover2 server initiates the REST call?

I'm assuming that since the TrafficManager works at the DNS level that nothing is done and there are different referer URLs from the different initiators. Correct? ... and since raw IPs may change in the cloud, and referers can be spoofed, is their a better initiator check (other than a token or certificate)?

UPDATE Static IPs now available from Azure may be the best solution:

https://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/6428310-static-ip-addresses-inbound-and-outbound-for-a

GGleGrand
  • 1,565
  • 1
  • 20
  • 45

1 Answers1

1

As you point out, Azure Traffic Manager works at the DNS level. Once the DNS lookup indicates the appropriate endpoint, clients connect to that endpoint directly--Traffic Manager is not a proxy.

Thus details such as host headers, referrer, cookies do not pass through and are not affected by Traffic Manager. What your application receives is whatever the client sends.

A good approach therefore is to get everything working without using Traffic Manager, and nothing should then change when you bring Traffic Manager into play.

Jonathan Tuliani - MSFT
  • 1,158
  • 7
  • 10