How can I preserve Original client ip at Application Gateway?

Akshay rathi 0 Reputation points
2024-11-27T10:06:02.24+00:00

Hey,

I have been trying to whitelist specific IP using custom WAF rule and as we know Application Gateway is a proxy server and it does not preserve the original client ip.

Is there any workaround or configuration we can set at App gateway side so waf rule could whitelist/blacklist the specific IP address?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,099 questions
Azure Web Application Firewall
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Patapati 2,590 Reputation points Microsoft Vendor
    2024-11-27T11:53:08.0966667+00:00

    Hi Akshay rathi

    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to configure your Application gateway WAF to preserve the client IP addresses, so that the backend server can see the actual client IP instead of Application gateway IP.

    We are unable to preserve the client IP because the Application gateway is a proxy. It will replace the original client IP with the Application gateway instance IP and forward requests to the backend server. However, Application gateway inserts extra headers to all requests before it forwards the requests to the backend. It includes the x-forwarded-for header which has the original client IP information.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request

    You can configure Application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. However, unless configured to do so, all incoming requests are proxied to the backend. You can use header rewrite to remove the port information from the X-Forwarded-For header to only keep the IP addresses.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#remove-port-information-from-the-x-forwarded-for-header


    Hope this clarifies!

    Kindly let us know if the above helped or you need further assistance on this issue.

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Ganesh


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.