Reputation: 963
Implement Azure WAF IP Restriction on specific sub-domains
We have a multi-tenant app, with each client's instance hosted on a sub-domain. E.g.:
- client1.mydomain.com
- client2.mydomain.com
To support this we have an App-Gateway in Azure with a wildcard listener: *.mydomain.com that directs traffic to the backend pool (IIS on a VM).
I need to restrict access to one client's site to a range of IP Addresses. I'm trying to achieve this by making use of a Web Application Firewall (WAF). I'm having trouble making the Custom Rule match the incoming requests for the specific sub-domain.
The rule is attached to a WAF Policy that is attached to the wildcard Listener in the App Gateway.
It looks like the RequestURI value does not include the host name.
Custom rule definition:
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr"
}
],
"operator": "IPMatch",
"negationConditon": false,
"matchValues": [
"xxx.xxx.xxx.xxx"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariables": [
{
"variableName": "RequestUri"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"client1.mydomain.com" <--- this is not capturing any requests
],
"transforms": [
"Lowercase"
]
}
]
How do I apply an IP restriction to specific subdomains in Azure using an App Gateway?
Upvotes: 1
Views: 1775
Answers (2)
Reputation: 3725
Finding request header names
Fiddler is a useful tool once again to find request header names. In the following screenshot, you can see the headers for this GET request, which include Content-Type, User-Agent, and so on. You can also use request headers to create exclusions and custom rules in WAF.
From Azure docs, we can use some tools like Live HTTP Headers , to get the headers.
and the make your custom rule:
Upvotes: 0
Reputation: 11
The RequestUri value passed by the gateway only contains the path, or in your case only "/" to indicate the root path of the target backend. You can match on the Host header instead to target the sub-domains.
Condition definition example:
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "Host"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"client1.mydomain.com"
],
"transforms": [
"Lowercase"
]
}
Upvotes: 1
Related Questions
- How to restrict access to subdomain based on IP (AWS)?
- Azure Front Door WAF ip restrictions for static web apps
- How To Disable Azure WAF Mandatory rule?
- Azure Webapp - Azure .Net SDK - Setting Site IP Restrictions
- How to whitelist an ip address in Azure WAF
- How do determine Azure WAF rule that affect to my specific url
- How to Restrict API call from subdomains
- Azure restrict access to web app by ip range
- How to restrict IP addresses with an Azure App Service / Web App
- IP Address and Domain Restrictions in ASP.NET