0

I have an Azure Web app running behind the Azure Application gateway which is configured in WAF mode. I have allowed only Azure Gateway IP and our own public/proxy IP to connect Azure Wab App which means all traffic is being routed to Web is being through Application Gateway only.

Now, I want to DENY access to specific list of IPs to my Azure Web App. I am not sure how and where can i configure this DENY list ? Thanks in advance!

Saurabh Singh
  • 1

1 Answers1

0

Now, I want to DENY access to specific list of IPs to my Azure Web App.

Based on my knowledge, maybe you can use IP Restrictions to allow some IP to access your app.

More information about IP Restrictions, please refer to this article.

Update:

Thanks for Saurabh Singh share, customer can edit web.config to add IP list:

     <security>     
       <ipSecurity allowUnlisted="true"> 
        <add ipAddress="111.223.118.66" allowed="false"/>
     </ipSecurity>
Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • thanks for the quick response Jason. I have reviewed this article but this is about setting up the "Allow List" which I have already configured on Azure web app so that only my gateway can access the web app But WAF is open for everyone on pot 80/443. This is where I want to block certain IPs. I am not sure of Azure Application Gateway have this capability or not. – Saurabh Singh Jan 29 '18 at 08:34
  • @SaurabhSingh For now, there is no firewall settings for Azure Application gateway. – Jason Ye Jan 29 '18 at 08:43
  • ok Jason, does that means i can NOT achieve my scenario ? It could be something at Azure web app level? – Saurabh Singh Jan 29 '18 at 08:46
  • @SaurabhSingh Azure web app only can add allow IP list, application gateway communicate web app use Azure private IP address. Maybe you can set https for application gateway. – Jason Ye Jan 29 '18 at 08:56
  • @SaurabhSingh Based on my knowledge, application gateway can map port to another port, so I think you can expose different port to the Internet:) – Jason Ye Jan 29 '18 at 09:07
  • @SaurabhSingh Just checking in to see if the information provided was helpful. Please let me know if you would like further assistance. – Jason Ye Jan 30 '18 at 02:46
  • hey Jason, thanks for the help here, i found the fix here we had to update the we.b.config file with following code to DENY any IP.ipSecurity allowUnlisted="true"> – Saurabh Singh Jan 30 '18 at 09:16
  • @SaurabhSingh thank you for your share, I will update it to my answer. – Jason Ye Jan 30 '18 at 09:18
  • @SaurabhSingh I have update my answer, please check it, thanks again:) – Jason Ye Jan 30 '18 at 09:30