8

I have Azure Application Gateway and API Management configured in this setup https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway - Application Gateway is the public endpoint and only defined routes are passed through to API Management.

I want to use the ip-filter policy to restrict calls to certain IP addresses. However when calls are coming through Application Gateway, the original client IP address is lost or obfuscated to IP 0.0.0.0.

Is there a way to keep the original client IP address and pass it through from Application Gateway to API Management?

Kai Walter
  • 3,485
  • 2
  • 32
  • 62

1 Answers1

5

You might find this article useful: https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request

An application gateway inserts four additional headers to all requests before it forwards the requests to the backend. These headers are x-forwarded-for, x-forwarded-proto, x-forwarded-port, and x-original-host. The format for x-forwarded-for header is a comma-separated list of IP:port.

Alex S
  • 1,171
  • 1
  • 9
  • 25
  • You are right. I already checked HTTP header x-forwarded-for - it would allow to implement some own block logic as a fall back with this policy expression https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#CheckHTTPHeader. – Kai Walter Nov 19 '19 at 04:22
  • I checked and for me this solution is not working as the Request-X-Forwarded-For HTTP header contains a varying port information which makes it impossible to filter for a defined set of IP addresses. The other headers suggested in this solution do not contain the required information to filter on. – Kai Walter Nov 19 '19 at 10:53
  • 1
    OK, if I reduce the header value before doing the check, it works: @{ string headerValue = context.Request.Headers.GetValueOrDefault("x-forwarded-for",""); string[] tokens = headerValue.Split(':'); if(tokens.Length == 2) { headerValue = tokens[0]; } return headerValue; } – Kai Walter Nov 19 '19 at 11:47