Azure Front-Door - X-Azure-ClientIP is showing an IPV6 address instead of IPV4

Question

We, Have an Azure front door setup and as a back-end, we used azure app services(Asp.NET). When we try to see the server variable at that time that it's showing an IPv6 in "X-Azure-ClientIP". We need a IPv4 in "X-Azure-ClientIP" Because we want to apply IP access restriction via our application on our content.

As one of our clients has both IPv4 and IPv6 enabled in their system. But we got only IPV6 in "X-Azure-ClientIP" instead of that we want IPv4.

Is there any provision in the azure front door to tackle this kind of scenario?

Answer 1

AFD is one of unfortunately few services that actually is available over IPv6, hopefully there will be more, and in the end the option to disable legacy IPv4, but IPv6 should not be turned of.

If you now have clients that also have IPv6, they will access FD over IPv6 if everything works as it should, this is not something that you will be able to control. Instead you should make sure that your backend works with IPv6 addresses coming in. This also applies to IP restriction policies.

IPv6 is not something that you can hope goes away, instead make sure your services has full and working support.

Answer 2

This is a limitation for now. You cannot block IPV6 address in AFD. You can always submit your feedback here in this section for features availability. But, as a work around you can use IP address safelist feature In ASP.NET core,

        {
  "AdminSafeList": "127.0.0.1;192.168.1.5;::1",
  "Logging": {

Here, only the client IP addresses listed in the string will be able to access the app. IPv4 addresses of 127.0.0.1 and 192.168.1.5 and the IPv6 loopback address of ::1 (compressed format for 0:0:0:0:0:0:0:1) are allowed.

Ref Doc: https://learn.microsoft.com/en-us/aspnet/core/security/ip-safelist?view=aspnetcore-5.0