Locking down Azure App service access to an IP range

Dan Adams 6 Reputation points
2022-07-21T08:49:08.093+00:00

I'm trying to secure access to a very simple app running in an Azure App Service. This app accepts HTTP POST requests (HTTPS unavailable) from a vendor and writes the output to Azure Queue Storage.

Currently I'm using an inbound traffic restriction to whitelist the vendor's IP ranges. In terms of security, am I better off putting the app behind an Application Gateway with WAF enabled?

I've also looked at the possibility of adding a Service Endpoint, then using a DNAT rule on the Azure Firewall to redirect traffic but am unsure if this would be sufficient either.

Any advice would be most appreciated.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
656 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,052 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,675 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SnehaAgrawal-MSFT 21,426 Reputation points
    2022-07-26T07:01:59.177+00:00

    If understanding right you are looking for securing inbound traffic, you can set your web app to inbound traffic routed through your Application Gateway to your app and then enable Web Application Firewall (WAF) support on your Application Gateway.

    Check this article link might be helpful in getting better picture of this: Zero to Hero with App Service, Part 6: Securing your web app

    Please let us know if further query or issue remains.

    1 person found this answer helpful.
    0 comments
  2. Jackson Martins 10,151 Reputation points MVP
    2022-07-21T15:07:59.79+00:00

    Hi @Dan Adams

    For Azure Web App, the best solution is Web Application Firewall (WAF) because it is cloud-native for applications, or use other solution from another specific vendor for this (Barracura, F5, Fortinet)

    Azure firewall focuses on securing your Azure Virtual Network resources (VNET, Express Route, HubSpoke and others)

    Get in touch if you need more help with this issue.

    --please don't forget to "Accept the answer" if the reply is helpful--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.