Use ip-filter policy for the True-Client-IP header value set by CloudFlare

Andrei Croitoriu 21 Reputation points
2020-07-16T07:42:38.137+00:00

Hello,
I'm using Azure Api Management to expose a series of APIs we're developing. All traffic that get's to out API Management goes via CloudFlare and because of that the IP of the client making the call is available only in the True-Client-IP header that CloudFlare exposes (I have no control over the CloudFlare part and apparently that's the only way we'll get the real client IP address).
We want to implement IP filtering in our APIs using the ip-filter policy that API Management exposes (https://video2.skills-academy.com/en-us/azure/api-management/api-management-access-restriction-policies#RestrictCallerIPs) - what is not clear is what value does the ip-filter policy use to compare against the allow/deny IPs provided in the policy and is it possible to instruct the ip-filter policy to use the IP present in the True-Client-IP header passed by CloudFlare?

Thank you in advance for you assistance!
Andrei

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,908 questions
0 comments
Accepted answer
  1. Pramod Valavala 20,606 Reputation points Microsoft Employee
    2020-07-16T08:07:37.577+00:00

    The built-in ip-filter policy uses the value from context.Request.IpAddress and there is no way to configure this otherwise. The alternative would be to implement the validation logic using policy expressions.

    Here is a sample that highlights how something like this can be achieved when APIM receives requests from Application Gateway. This is remarkably similar to your own scenario and should work with minor changes (like the header name for instance).

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest