9

I have Azure Application Gateway and API Management configured in this setup https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway - Application Gateway is the public endpoint and only defined routes are passed through to API Management.

I want to use the ip-filter policy to restrict calls to certain IP addresses. However when calls are coming through Application Gateway, the original client IP address is lost or obfuscated to IP 0.0.0.0.

Is there a way to keep the original client IP address and pass it through from Application Gateway to API Management?

Improve this question

1 Answer 1

Reset to default
5

You might find this article useful: https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request

An application gateway inserts four additional headers to all requests before it forwards the requests to the backend. These headers are x-forwarded-for, x-forwarded-proto, x-forwarded-port, and x-original-host. The format for x-forwarded-for header is a comma-separated list of IP:port.

Improve this answer
3
  • You are right. I already checked HTTP header x-forwarded-for - it would allow to implement some own block logic as a fall back with this policy expression learn.microsoft.com/en-us/azure/api-management/….
    – Kai Walter
    Nov 19, 2019 at 4:22
  • I checked and for me this solution is not working as the Request-X-Forwarded-For HTTP header contains a varying port information which makes it impossible to filter for a defined set of IP addresses. The other headers suggested in this solution do not contain the required information to filter on.
    – Kai Walter
    Nov 19, 2019 at 10:53
  • 1
    OK, if I reduce the header value before doing the check, it works: <set-header name="X-Forwarded-For" exists-action="override"> <value>@{ string headerValue = context.Request.Headers.GetValueOrDefault("x-forwarded-for",""); string[] tokens = headerValue.Split(':'); if(tokens.Length == 2) { headerValue = tokens[0]; } return headerValue; }</value> </set-header> <check-header name="X-Forwarded-For"...
    – Kai Walter
    Nov 19, 2019 at 11:47

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.