Azure API Management - How to get original IP when APM is behind WAF

Asked 14/6, 2019 at 11:33 Answered 14/8, 2019 at 11:56

Solved azure ip-address azure-api-management web-application-firewall x-forwarded-for

We have below technical stack

Imperva WAF
API Management
WebApi in WebApp

This is current implementation

Client IPs are authenticated at WAF level
WAF IPs are whitelisted at APIM
APIM IP is whitelisted at WebApp level

Everything is working fine and as expected.

Now when i went to APIM -> Analytics -> Request, i see WAF IPs are listed here and not the client ones. So in this case we will not be able to track who is using what

I know we have option to track thru subscription key, but that is not enough.

Can anybody please suggest how to configure to get correct IPs?

Painting answered 14/6, 2019 at 11:33 Comment(2)

There are same problem in MSDN Forum issues. social.msdn.microsoft.com/Forums/en-US/… – Cistaceous 14/6, 2019 at 14:15

@ibrahimatay, Thanks for your reply, sorry i missed your reply, Yes, so i have now x-forwarded-for which contains Client IP in header, now question is how to get this and add it in App Insights and then create custom reports from App Insights itself ? – Painting 23/7, 2019 at 11:8

After raising support request to Microsoft, we got what we want

This is how we accomplished

When Imperva WAF calls APIM endpoint, it also passes Incap-Client-IP in header
Within APIM -> APIs -> All APIs -> Settings -> Enter header property you want to add in request log of App Insights
Under request log -> custom dimension -> you can see InCap-Client-IP property is added in App Insights

Now we can export this in csv format and can track usage based on client IP.

Painting answered 14/8, 2019 at 11:56 Comment(0)

I believe you can find your answer in here. You merely need to configure your server to retrieve the correct IP from the relevant header.

Quoting the relevant part:

Original Client IP is required In case your application requires a real client IP address, please make sure you have enabled retrieval of this value from either: "X-Forwarded-For" or "Incap-Client-IP" header. When working with Imperva your server will see Imperva IPs instead of real client IPs. However, Imperva inserts by default the original client IP address into two HTTP headers: "X-Forwarded-For" and Imperva header "Incap-Client-IP".

But notice, you should take the first IP in a given XFF value, otherwise, the use of the second header real-client-IP might be affected by 3rd party proxies, etc.

Hope that helps.

Jimmie answered 16/6, 2019 at 8:33 Comment(0)

After raising support request to Microsoft, we got what we want

This is how we accomplished

When Imperva WAF calls APIM endpoint, it also passes Incap-Client-IP in header
Within APIM -> APIs -> All APIs -> Settings -> Enter header property you want to add in request log of App Insights
Under request log -> custom dimension -> you can see InCap-Client-IP property is added in App Insights

Now we can export this in csv format and can track usage based on client IP.

Painting answered 14/8, 2019 at 11:56 Comment(0)

This is not possible with built-in reports in Azure APIM. If you can make WAF forward client IP to APIM in header then you could build your own reporting infrastructure, but that would be pretty elaborate.

Alarise answered 14/6, 2019 at 21:13 Comment(8)

Thanks Vitaliy for your response. OK. client IP is important for us to capture but capture i and create own reporting infrastructure is big task as you mentioned. Building what APIM built-in reports provide is too much of work. Is it possible if we pass on client ip to APIM and report will be based on it? – Painting 17/6, 2019 at 8:3

Not immediately possible.Out of low invest options your best one is to use AppInsight integration and setup logging of extra header containing client IP passed by WAF. Perhaps then building required reports based on AppInsight might be simpler. – Alarise 17/6, 2019 at 17:28

Thanks Vitaliy for your reply. OK. Do you have any sample implementation link available where we can add custom data to App Insights from APIM? – Painting 18/6, 2019 at 7:38

Can anybody help me on how to setup logging of extra head containing client IP to Application Insights ? – Painting 19/7, 2019 at 8:20

Did you try this learn.microsoft.com/en-us/azure/api-management/… ? – Alarise 19/7, 2019 at 16:51

Hellto Vitaliy, Thanks for your reply. Yes, i have tried with that too. I have added diagnostic settings in my question. But i don't see header related info in app insights, Actually i should see it added in request data of app insights, right ? but i don't see it. – Painting 20/7, 2019 at 8:47

Hello Vitaliy / somebody from Microsoft, can you please update here on how to add header info in App Insights? – Painting 5/8, 2019 at 9:30

Just make sure that your API level diagnostic settings do not override global settings to log this header. Id that doesn't resolve the issue, I'll need your service name to look further, or you could open support request. – Alarise 5/8, 2019 at 21:49

Recommended topics

Hot tags