Denylist client IP in Azure Application Gateway

Question

We are using Azure Application Gateway for our site, and we are getting few people scraping our site. We want to block their IP at gateway level, as we don't want to configure the same blocks in every web service.

We can not find the way of blocking IPs using only the gateway or its virtual network. Had anybody the same problem and can illuminate our path?

Answer 1

You could deploy Application Gateway in a virtual network. If so, you will have a dedicated subnet for this Application Gateway. This subnet can only contain Application Gateways. You could associate an NSG to this subnet. If so, you could restrict inbound and outbound traffic from this Application Gateway subnet via inbound or outbound security rules in NSG. In this case, you could add an inbound security rule to backlist your clients' IP.

Refer to DOC, Note:

Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:

Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

Outbound internet connectivity can't be blocked.

Traffic from the AzureLoadBalancer tag must be allowed.

Hope this helps.