Locking down Azure App service access to a set of IP adresses. Security advice needed

Question

I'm trying to secure access to a very simple app running in an Azure App Service. This app accepts HTTP POST requests (HTTPS unavailable) from a vendor and writes the output to Azure Queue Storage.

Currently I'm using an inbound traffic restriction to whitelist the vendor's IP ranges. In terms of security, am I better off putting the app behind an Application Gateway with WAF enabled?

I've also looked at the possibility of adding a Service Endpoint, then using a DNAT rule on the Azure Firewall to redirect traffic but am unsure if this would be sufficient either.

Any advice would be most appriciated.

Please provide enough code so others can better understand or reproduce the problem. — Community, Jul 21 '22 at 02:25

score 0 · Accepted Answer · answered Jul 25 '22 at 11:32

To restrict the set of IP address to Azure Web App Service, please try the below as mentioned in this MsDoc:

Go to Azure Portal -> App Services -> Select your App -> Networking -> Add rule

enter image description here

Otherwise, you can add a routing rule as mentioned in this blog by Patrick like below:

Go to Azure Portal -> Application Gateway -> Your Application Gateway -> Rules -> Add a routing rule

enter image description here

Please refer the below links which might give you a pointer to solve the issue:

Azure Application Gateway locked down route to app service by johnstaveley

azure-docs/app-service-ip-restrictions.md by Mads Damgård

Locking down Azure App service access to a set of IP adresses. Security advice needed

1 Answers1