0

App Service IP Restriction for Application Gateway with WAF

I want to setup Application Gateway WAF in front of multi-tenant (non-ASE) App Service Web Apps.

I know this is possible now, according to official document.

For security, inbound traffic to Web Apps should be restricted to only allow requests for connection the application gateway Public IP. But I couldn't find the way to do it.

Idea 1. Using VNet integration:
It's not possible to using "App Service Vnet Integration" cause it's not possible to specify App gateway's VNet. Moreover, in my understanding, VNet integration can't restrict inbound traffic.

Idea 2. Using IP Restriction config of App Service:
Application Gateway's Public IP Address can be configured as Dynamic one, Static IP Address can't be chosen. So, I think it's not possible to specify Application Gateway's Public IP Address to IP Restriction config of App Service, cause configured IP is static but actual IP can be changed.

Any good idea?

bodfox
  • 21
  • 4
yosukekumasaka
  • 3
  • 4

1 Answers1

0

The Application gateway IP address can change if the gateway is stopped and started by the customer.

So if you have not stop and start the application gateway, the IP address will not change.

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • Thanks. Certainly, Application Gateway and App Service (non ASE) can be in the same VNet, I confirmed by setting it. On the other hand, it's described in the official document, "VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network." (See https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet ) So, IP Restriction by AppGateway's "internal IP address" can't be used, can it ? – yosukekumasaka Feb 07 '18 at 06:21
  • @yosukekumasaka Sorry for my mistake, you are right, vnet integration not work in this scenario. Application gateway IP address will not change if you not stop and start or update it. please add application gateway public IP address to `web.config` allow list. – Jason Ye Feb 07 '18 at 08:14