0

I have a Virtual Machine that contain TWO websites, and one of them have restricted access by IP Address and Domain Restrictions IIS feature which work like a charm and allows only whitelisted IPs.

enter image description here

Now, I have to implement an Application Gateway keeping the same approach for the public website where I can manage the IP addresses that will be whitelisted either by the current solution IP Address and Domain Restrictions or other solution.

Any idea in how to achieve it?

Vinicius Deschamps
  • 385
  • 3
  • 15

2 Answers2

1

Have just figured this out myself after struggling with it for about 2 days.

I host around 70 different .NET CORE sites in IIS behind a single instance of Application Gateway, and recently had a request for IP Based Restrictions on just one of them. I've figured out how to make this work!

Essentially, it makes use of the 'Enable Proxy Mode' feature, which causes the IP Address and Domain Restrictions feature to look at the contents of the X-Forwarded-For header which with IIS should contain the

So here it is step by step.....

1. Logging

First of all, its useful to make a few changes to Application Gateway and IIS to enable us to log and see the contents of the X-Forwarded-For header.

In IIS Manager:

  1. On server, site or application level, double click “Logging”
  2. Click “Select Fields“
  3. In “W3C Logging Fields” window, click “Add Field“
  4. In the “Add Custom Field” window, fill out the following fields
  5. Field Name: X-Forwarded-For, Source type: Request Header, Source: X-Forwarded-For
  6. Click “OK” in both open windows
  7. Click “Apply” in the actions pane

enter image description here

In Application Gateway:

  1. Open the Azure Portal
  2. Browse to your Application Gateway Instance
  3. Click on the "Rewrites" blade
  4. Click the "+ Rewrite set" button
  5. Set the "Name" to "X-Forwarded-For"
  6. Select the Routing Rules you want to associate this with (the rules for the site you to restrict at minimum, but should be no hard selecting ALL rules)
  7. Click "Next"
  8. Click the "+ Add Rewrite Rule" button, then the "Do - Click to Configure this Action" box
  9. Set "Rewrite Type" = "Request Header", "Action Type" ="Set". "Header Name" ="Common Header", "Common Header" = "X-Forwarded-For" and "Header Value" = "{var_add_x_forwarded_for_proxy}"
  10. Click "OK" and "Create" to save the rewrite rule

enter image description here

Next time the IIS Log file rolls over (or just rename/delete the current logfile), it should now include the contents of the X-Forwarded-For header passed by Application gateway, this can be very helpful for for logging and debugging later on.

enter image description here

2. Configure IIS IP and Domain Restrictions

Now we can start to setup the IP and Domain restrictions setting in IIS. If you haven't already, install the IIS Domain and IP Resections module as described here.

In IIS Manager:

  1. On server, site or application level, double click “IP Address and Domain Restrictions”
  2. Click the "Edit Feature Settings" option in the "Actions" pane
  3. Set "Access for unspecified clients" = "Deny", "Enable Proxy Mode" = Ticked, "Deny Action Type" = "Forbidden" (or whatever else you want, this part doesn't matter so much).
  4. Click 'OK' to save.

enter image description here

  1. In the Actions pane, click "Add Allow Entry"

(The following is the magic undocumented part needed to make it work......)

  1. Add the the IP Address Range from the Address Space of you Application Gateway Virtual Network. Click "Ok" to Save.

enter image description here

  1. Repeat Step 5 and 6 with the address space for the Peered Virtual Network that you IIS server sits on:

enter image description here

  1. Finally, repeat steps 5. and 6. and add in the specific client IP addresses you wish to whitelist/allow, you should end up with an allow list the looks something like the following:

enter image description here

Note that my list has separate "Allow" entries for our office IP address, the clients office IP Address(es), as well as IP Address ranges of the servers for the PRTG Cloud Monitoring solution we use on these VMs.

Test, and hopefully it works! Good Luck!

Chris Butler
  • 394
  • 2
  • 12
0

In the Azure App Gateway FAQ document, it discusses this Scenario:

Q. Can I whitelist Application Gateway access to a few source IPs?

This scenario can be done using NSGs on Application Gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:

  • Allow incoming traffic from source IP/IP range
  • Allow incoming requests from all sources to ports 65503-65534 for backend health communication.
  • Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic(VirtualNetwork tag) on the NSG.
  • Block all other incoming traffic with a Deny all rule.
  • Allow outbound traffic to the internet for all destinations.
TravisCragg_MSFT
  • 157
  • 4
  • Downvoting as this answer is only feasible if you want the same IP Restrictions for ALL sites behind the Application gateway, which is not the case in the OPs question (they have "TWO websites, and one of them have restricted access by IP Address and Domain Restrictions IIS feature"). See below for what I believe is a more correct answer. – Chris Butler Jun 21 '22 at 23:54