6

We have below technical stack

  • Imperva WAF
  • API Management
  • WebApi in WebApp

This is current implementation

  • Client IPs are authenticated at WAF level
  • WAF IPs are whitelisted at APIM
  • APIM IP is whitelisted at WebApp level

Everything is working fine and as expected.

Now when i went to APIM -> Analytics -> Request, i see WAF IPs are listed here and not the client ones. So in this case we will not be able to track who is using what

I know we have option to track thru subscription key, but that is not enough.

Can anybody please suggest how to configure to get correct IPs?

enter image description here

Manish Joisar
  • 1,256
  • 3
  • 23
  • 47
  • There are same problem in MSDN Forum issues. https://social.msdn.microsoft.com/Forums/en-US/cc8b3542-c476-47fe-807f-088134212f23/get-user-ip-on-application-behind-azure-application-gateway?forum=WAVirtualMachinesVirtualNetwork – ibrahimatay Jun 14 '19 at 14:15
  • @ibrahimatay, Thanks for your reply, sorry i missed your reply, Yes, so i have now x-forwarded-for which contains Client IP in header, now question is how to get this and add it in App Insights and then create custom reports from App Insights itself ? – Manish Joisar Jul 23 '19 at 11:08

3 Answers3

4

I believe you can find your answer in here. You merely need to configure your server to retrieve the correct IP from the relevant header.

Quoting the relevant part:

Original Client IP is required In case your application requires a real client IP address, please make sure you have enabled retrieval of this value from either: "X-Forwarded-For" or "Incap-Client-IP" header. When working with Imperva your server will see Imperva IPs instead of real client IPs. However, Imperva inserts by default the original client IP address into two HTTP headers: "X-Forwarded-For" and Imperva header "Incap-Client-IP".

But notice, you should take the first IP in a given XFF value, otherwise, the use of the second header real-client-IP might be affected by 3rd party proxies, etc.

Hope that helps.

nathancy
  • 42,661
  • 14
  • 115
  • 137
Adam Barak
  • 41
  • 2
3

After raising support request to Microsoft, we got what we want

This is how we accomplished

  • When Imperva WAF calls APIM endpoint, it also passes Incap-Client-IP in header
  • Within APIM -> APIs -> All APIs -> Settings -> Enter header property you want to add in request log of App Insights enter image description here
  • Under request log -> custom dimension -> you can see InCap-Client-IP property is added in App Insights

enter image description here

Now we can export this in csv format and can track usage based on client IP.

Manish Joisar
  • 1,256
  • 3
  • 23
  • 47
0

This is not possible with built-in reports in Azure APIM. If you can make WAF forward client IP to APIM in header then you could build your own reporting infrastructure, but that would be pretty elaborate.

Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18
  • Thanks Vitaliy for your response. OK. client IP is important for us to capture but capture i and create own reporting infrastructure is big task as you mentioned. Building what APIM built-in reports provide is too much of work. Is it possible if we pass on client ip to APIM and report will be based on it? – Manish Joisar Jun 17 '19 at 08:03
  • 1
    Not immediately possible.Out of low invest options your best one is to use AppInsight integration and setup logging of extra header containing client IP passed by WAF. Perhaps then building required reports based on AppInsight might be simpler. – Vitaliy Kurokhtin Jun 17 '19 at 17:28
  • Thanks Vitaliy for your reply. OK. Do you have any sample implementation link available where we can add custom data to App Insights from APIM? – Manish Joisar Jun 18 '19 at 07:38
  • Can anybody help me on how to setup logging of extra head containing client IP to Application Insights ? – Manish Joisar Jul 19 '19 at 08:20
  • Did you try this https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-app-insights ? – Vitaliy Kurokhtin Jul 19 '19 at 16:51
  • Hellto Vitaliy, Thanks for your reply. Yes, i have tried with that too. I have added diagnostic settings in my question. But i don't see header related info in app insights, Actually i should see it added in request data of app insights, right ? but i don't see it. – Manish Joisar Jul 20 '19 at 08:47
  • Hello Vitaliy / somebody from Microsoft, can you please update here on how to add header info in App Insights? – Manish Joisar Aug 05 '19 at 09:30
  • Just make sure that your API level diagnostic settings do not override global settings to log this header. Id that doesn't resolve the issue, I'll need your service name to look further, or you could open support request. – Vitaliy Kurokhtin Aug 05 '19 at 21:49