0

I have created a webapp in Azure (for example, abc.azurewebsites.net) and added a custom domain to it which was taken from Cloudflare (abc.contoso.com) (by adding CNAME point to Azurewebsites.net).

Now my requirement is whenever customer access the webapp through abc.contoso.com it should get through Cloudflare and hit azurewebapp.

Then I configured IP restrictions in Azure webapp so that I could allow only traffic which comes from Cloudflare.

I have added ips to allow mode which I got from the documentation and deny remaining all, but it's not working.

halfer
  • 19,824
  • 17
  • 99
  • 186
Sai Charan Teja
  • 41
  • 4
  • Hi Sai. It looks like a helpful answer was made on the same day as you asking your question. Would you consider responding to them in some way? You can reply in comments for clarification, accept, or vote on its general usefulness. – halfer Mar 29 '19 at 19:38

1 Answers1

3

It seems that you have a bit of misunderstanding CNAME record, which maps an alias name to a true or canonical domain name. When you access the URL abc.contoso.com, the local DNS service will help lookup an IP address for such host abc.contoso.com, due to the CNAME record in the DNS hosting provider, which will redirect DNS lookup traffic to host abc.azurewebsites.net, then DNS service returns the real IP address for the web app abc.azurewebsites.net to the client. In the end, clients are directly connected to the web app in Azure.

So you could not achieve it with filtering the Cloudflare IPs, you should add the actual client IP address in IP restrictions of the Azure web app if you want to restrict some clients.

Moreover, you could set up a proxy which will receive client traffic and help reroute client traffic to your web app. Then you could add the proxy address in the IP restrictions of the Azure web app. You may take a look at Azure Application Gateway. If you want to restrict the access to Azure web app only from URL abc.contoso.com using a proxy, Azure application gateway could achieve it.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • 1
    If m reply makes sense, you may consider accepting it as an answer? – Nancy Mar 22 '19 at 07:57
  • Regarding acceptance here: while it is not mandatory, it's also true that some people do not know how it works. I have prompted the question author in a comment under their question. They would have received a notification for your answer, but they would not receive another one for your comment under your own question. The only exception to that is if they had commented prior to your comment and you addressed them with their `@` handle. – halfer Mar 29 '19 at 19:41