Preserve Client IP address in Azure API Management with Application Gateway scenario

About

Asked 18/11, 2019 at 14:6 Answered 18/11, 2019 at 19:0

Solved azure-api-management azure-application-gateway

I have Azure Application Gateway and API Management configured in this setup https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway - Application Gateway is the public endpoint and only defined routes are passed through to API Management.

I want to use the ip-filter policy to restrict calls to certain IP addresses. However when calls are coming through Application Gateway, the original client IP address is lost or obfuscated to IP 0.0.0.0.

Is there a way to keep the original client IP address and pass it through from Application Gateway to API Management?

Alessandro answered 18/11, 2019 at 14:6 Comment(0)

You might find this article useful: https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request

An application gateway inserts four additional headers to all requests before it forwards the requests to the backend. These headers are x-forwarded-for, x-forwarded-proto, x-forwarded-port, and x-original-host. The format for x-forwarded-for header is a comma-separated list of IP:port.

Alo answered 18/11, 2019 at 19:0 Comment(3)

You are right. I already checked HTTP header x-forwarded-for - it would allow to implement some own block logic as a fall back with this policy expression learn.microsoft.com/en-us/azure/api-management/…. – Alessandro 19/11, 2019 at 4:22

I checked and for me this solution is not working as the Request-X-Forwarded-For HTTP header contains a varying port information which makes it impossible to filter for a defined set of IP addresses. The other headers suggested in this solution do not contain the required information to filter on. – Alessandro 19/11, 2019 at 10:53

OK, if I reduce the header value before doing the check, it works: <set-header name="X-Forwarded-For" exists-action="override"> <value>@{ string headerValue = context.Request.Headers.GetValueOrDefault("x-forwarded-for",""); string[] tokens = headerValue.Split(':'); if(tokens.Length == 2) { headerValue = tokens[0]; } return headerValue; }</value> </set-header> <check-header name="X-Forwarded-For"... – Alessandro 19/11, 2019 at 11:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags