0

We're looking to use Application Gateway as a frontend\proxy for a website we host onsite. The website has a public IP but we'd like to restrict access to the site to only traffic coming from the Application Gateway. Is there a way to determine what IP the traffic would be coming from as it exits Azure? Is it like other Azure traffic where it could come from any IP subnet they have assigned to that specific region? I haven't seen this question asked and it's not directly referenced in any of MS documentation that I can find.

Thanks!

Improve this question

1 Answer 1

Reset to default
0

Not sure why you want to restrict access to the site to only traffic coming from the Application Gateway because if you configure it and add the website in the backend of Application Gateway. The traffic from a client will always reach the website through the Application gateway as the Application Gateway works as an application proxy by accepting traffic and based on rules that are defined with it, routes the traffic to the appropriate back-end instances.

You may want to know to restrict access on the application gateway subnet via NSG. Then the inbound or outbound traffic in the Application Gateway subnet will be filtered via NSG.

Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:

Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

Outbound internet connectivity can't be blocked.

Traffic from the AzureLoadBalancer tag must be allowed.

Hope this will help, let me know if you have any other concerns.

Update

If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks, Nancy. The website we host onsite is actually just a web service that only exists for API communication to our cloud-hosted CRM. Currently, the API traffic only comes from a few possible IPs and we're only allowing traffic through our firewall from those IPs. In an upcoming update the CRM traffic will potentially be coming form thousands of IP addresses and we're hoping to avoid adding all of those IPs to our firewall or opening the web service up to the world. The service is password protected and encrypted with SSL, we're just trying to keep things locked down as much as possible.
Do you want to find the outgoing traffic IP address from cloud-host CRM? What is your specific cloud-host CRM?
If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.
I think whitelisting the Azure Datacenter IP Ranges for the Azure region of our Application Gateway is what we'll need to do. It's more IPs then I was hoping to have to add to our firewall, but is likely the best solution. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.