Achieve country level blocking while using azure traffic manager and azure application gateway with WAF

0
votes

We have used azure traffic manager and azure application gateway with a Web application firewall for MVC C# web Application which hosted on the Azure virtual machine.

For security reasons, we need to allow specific IP addresses and block access at the country level. But, We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.

Can you please guide a way/ feasibility to achieve this?
Does it need any other azure service or can be it achieved with existing services/configuration.

1
asp.net-mvcazuresecurityazure-traffic-managerweb-application-firewall

1 Answers

1
votes

We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.

From the network connectivity, the IP address only identifies the terminal device location. Also, the device location from a country is included in that country level. If you select to block some countries (for example, you can look at geo-filtering with WAF for Azure Front Door) but this will block all IP addresses from that country as the WAF should work in front of the web app service or application gateway. So I don't think it's possible.

In fact, what you want is to allow some specific IP addresses, you can simply allow those IP addresses in the inbound rule of NSG which is associated with an application gateway subnet and whitelist your application gateway subnet in the NSG rule of backend Azure VMs without any other internet access. It will only allow that IP address to access your backend application through Azure Application Gateway. Read more details from this blog.