Allow access through WAF only for whitelisted IPs

Hello @Raphael Pereira ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like all your Application gateway domains that contain "staging" in their name to be accessible only by a list of whitelisted IPs.

This is possible via custom WAF rule as you mentioned.

Allowing and blocking traffic is simple with custom rules. For example, you can block all traffic coming from a range of IP addresses.

Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-5

As mentioned by @Michael Cameron above, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.

You can have separate WAF policies (one for each listener) to customize the exclusions, custom rules, managed rule sets, and all other WAF settings for each site.

Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/policy-overview#per-site-waf-policy

https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/per-site-policies

So, you can associate WAF policies to all listeners with "staging" domain name with custom WAF rules to allow the IP addresses you need.

The best way to whitelist the IP addresses is to create a custom WAF rule with all the IP addresses with operation "does not contain" and condition as "Deny" as below:

Refer: https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

https://video2.skills-academy.com/en-us/answers/questions/1179573/how-to-define-ip-whitelist-in-azure-application-ga

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.