How to preserve the Client IP that is amended by Azure Front Door, another amendment by App Gateway before reaching Azure APIM

Bi Tan 40 Reputation points
2024-07-16T00:28:41.8333333+00:00

Hi,

My setup is configured with Azure Front Door + Azure WAF --> Azure App Gateway + WAF --> Azure API Management.

The diagnostic data logs are kept with Azure Monitor.

I am trying to configure in bound throttling policy on APIM to rate limit user based on IP. However, the Client IP that returns from the logs of APIM seems to be the IP address of App Gateway, and the Client IP that returns from the logs of App Gateway seems to be the IP address of Front Door. Hence, I could not setup any policy on APIM to restrict user access based on IP addresses.

I have reviewed the other Q&A and Microsoft documentation, and is aware that the original Client IP is preserved via a request header X-Forwarded-For when the request is flowing through Front Door --> App Gateway and App Gateway --> APIM.

I have tried the Remove port information from the X-Forwarded-For header solution (both {var_add_x_forwarded_for_proxy} and {var_add_client_ip}) on App Gateway, but the clientIP in the Azure Monitor Logs for App Gateway is still returning Front Door's IPs and APIM is still returning App Gateway's IPs.

Can you please assist and advise how can I preserve/overwrite/create a variable in APIM to be used to setting up an in-bound policy?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,193 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
696 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,087 questions
Azure Web Application Firewall
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,536 Reputation points Microsoft Employee
    2024-08-06T00:27:36.6266667+00:00

    @Bi Tan

    Thank you for getting back and letting us know that you have applied rate limiting feature of Azure Front Door WAF instead.

    The other reason that I would like to utilize the original client IP addresses is to be able to conduct proactive monitoring and setting up alerts at APIM to pick up any unusual/undesired usage behavior from the API users (leaking of API Subscription Keys, etc...).@Ben Gimblett did mention the possibility to extract the original IP from the XFF value, can you/Chaitanya please elaborate this further how to achieve this, as I am fairly new to Azure services.

    Based on Ben's response above. As the request will be forwarded by the Front Door to Application Gateway, the X-Forwarded-For (XFF) HTTP header field will be appended by the Front Door with client's IP, more details here. Azure Application Gateway will also do the same see the image below
    User's image

    As documented here for Azure Application Gateway the format for x-forwarded-for header is a comma-separated list of IP:port.

    If you do not need the port information you can use server variables in Application Gateway

    as documented here using the add_x_forwarded_for_proxy server variable to remove the port information.

    User's image

    Later in the APIM side you can use policy to fetch the client IP address from the XFF header.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.