1

I have published an ASP.NET core Web API on IIS. The website is hosted on a Windows Server 2019 dedicated server with a number of IP addresses. In Plesk I have set the IP address which I want the website to be bound to (let's assume is it 10.1.1.1). When I ping the domain name I see the correct IP address.

In one of the API's endpoints, there is an HTTP Request made to an external API which has access restriction to pre-defined IP addresses. If a request is made to this external API from an unknown IP it returns an error with that IP address.

Our website's IP address is set properly at the external API. However, when our API tries to connect to the external API from code it doesn't use the website's correct IP Address. It uses the first available IP address on the server. Therefore, the connection to the external API is refused.

My question is, why the HTTP Request is not made from the same IP address as the website and what can I do to make things right?

Damascus
  • 145
  • 9

1 Answers1

1

When we bind sites to IIS, you are only binding the incoming IP address. Traditionally we would want to control and sanitize all outbound requests, it there are multiple NICs configured, the outbound traffic would be routed through the NIC that is configured with the gateway, or the NIC that is on the same subnet as the target.

If your server has multiple IP addresses defined in the same NIC, the outbound IP address from IIS hosted content is selected for you. I'm not sure if it is a round robin but I can tell you it is not in any way related to the incoming IP address that your site is bound to.

Outbound traffic is NOT associated with IIS at all, outbound traffic from IIS follows the normal pathway and rules as outbound connections from all processes on your PC/server.

The general standard to avoid this issue in IIS is to use SSL and Host Header Names. That way you can host multiple sites on the same IP address, or realy you are inbound address agnostic meaning your configuration can be easily ported to other hosts without having to mess around with multiple physical or virtual IP addresses.

Following this advice from Forcing Windows Server to Use a Specific Outgoing IP Address, you can use powershell to exclude specific IP addresses from being used as the external source.

Assuming the IP address you want to be primary is 192.168.33.129.

$primaryIP = "192.168.0.4"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
    Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}

Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary. We can verify this using...

Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource

It must also be said that communications outside of your IIS host can be routed via VPNs and Firewalls, even if you manage to fix the internal IIS server outbound IP address, the external site will still register your network's external IP address, not the internal 192.168.0.4 on the NIC.

Most enterprise firewalls will have the ability to configure Source NAT (SNAT) rules or policies, sometimes referred to as Multipath Routing, that will allow you to bypass or negate any configuration on the IIS NIC as described above.

Chris Schaller
  • 13,704
  • 3
  • 43
  • 81
  • The key in your very helpful answer was **"The IP used for Outbound Traffic"** I have used this valuable information to look for a way to achieve what I need in code and [https://stackoverflow.com/a/66681784/8375467](this solution) had the answer. I was able using that code to bind the HttpClient to a specific IP. – Damascus Mar 15 '22 at 19:36