Restrict Azure App Service to a whitelist of IPs without returning 403

Question

I have an Azure App Service where the customer is using an Akamai WAF in front of it to connect to it. Now I have the requirement that the App Service should not be reachable other then through that WAF. I got a list of IPs I have entered in the App Service Networking in the Access Restrictions list (App Service -> Networking -> Access restrictions).

This works pretty well in principle, but if I now try to access the service directly (so by using appname.azurewebsites.net), not through the WAF, it will return a 403 error response. But the requirement is that the service should not answer, at all.

Is there a way to achieve that in Azure? What would be the best way to do this?

Answer 1

There is a way to achieve this behaviour right now in an app service: What you need to do is use an app service plan on the Isolation tier, create a v-net and add a network security group to it where you can restrict inbound ips.

This is pretty expensive, but currently the only way.

What I ended up with is to use a VM with a v-net, as this is much cheaper. An App service on the isolation tier unfortunatly would have destroyed the budget.

Answer 2

By default, when you configure ip restrinctions on App Services, the App Service will return the 403 forbidden page from Azure.

So, if you want to Avoid default 403 when IP Restrinctions are configured on App Services, you could vote up this feedback to promote this to be achieved.