We have a multi-tennant app, with each client’s instance hosted on a sub-domain. E.g.:
- client1.mydomain.com
- client2.mydomain.com
To support this we have an App-Gateway in Azure with a wildcard listener: *.mydomain.com that directs traffic to the backend pool (IIS on a VM).
I need to restrict access to one client’s site to a range of IP Addresses. I’m trying to achieve this by making use of a Web Application Firewall (WAF). I’m having trouble making the Custom Rule match the incoming requests for the specific sub-domain.
The rule is attached to a WAF Policy that is attached to the wildcard Listener in the App Gateway.
It looks like the RequestURI value does not include the host name.
Custom rule definition:
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr"
}
],
"operator": "IPMatch",
"negationConditon": false,
"matchValues": [
"xxx.xxx.xxx.xxx"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariables": [
{
"variableName": "RequestUri"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"client1.mydomain.com" <--- this is not capturing any requests
],
"transforms": [
"Lowercase"
]
}
]
How do I apply an IP restriction to specific subdomains in Azure using an App Gateway?
2
Answers
The RequestUri value passed by the gateway only contains the path, or in your case only "/" to indicate the root path of the target backend. You can match on the Host header instead to target the sub-domains.
Condition definition example:
From Azure docs, we can use some tools like Live HTTP Headers
, to get the headers.
and the make your custom rule: