Configuring a per-site WAF policy with IP address restriction rules: Part three
As I mentioned in the introduction in
the end goal is to demonstrate how to control inbound access based on IP address restrictions
to one of my two websites running on the Windows® virtual machine (VM).
Part two of the series
laid the foundation with the the Application Gateway configuration. Now, in this final post
of the series, I walk thorough the Web Application Firewall (WAF) policy creation and test
the custom rule. I will restrict access to site2.hiteshvadgama.co.uk.
WAF policy configuration
The following steps show how to create a per-site WAF policy with an IP-based access
control rule and assign it to the Application Gateway and Site2_Listener, which we know
from the earlier
HTTP Settings section in Part two
is the listener that corresponds to site2.hiteshvadgama.co.uk.
- Search for WAF in the marketplace, select the Web Application Firewall (WAF) by Microsoft
service, and click Create.
- On the Basics tab, assign the policy to the Regional WAF (Application Gateway)
and fill in the rest of the basic details. Make sure the location you choose is the
same location as the Application Gateway WAF resource. For now, I disable the
- On the Policy settings tab, select Prevention mode. I didn’t make any changes
to the default settings in the Exclusions or Global Parameters section. You can
make changes if you want to exclude specific parts of an incoming request or modify the
request body parameters.
- On the Managed Rules tab, I kept the default OWASP 3.0 rule set. Depending on
your requirements, you might want to choose a different rule set or modify the ruleset
if certain rules are, for example, causing false positives and blocking legitimate traffic.
- On the Custom rules tab, I selected Add custom rule.
- I gave the rule a name and a priority. As a best practice, assign priority in
increments of five to make it easier to change the order of rules in the future.
- For the IF statement under Conditions, I selected IP address as the
Match Type and Does contain as the operation. For my test, I want the rule to
block access if the IP address matches my local machine, so I did an IP lookup of the
machine and added it under IP address or range.
- For the THEN statement, I selected Deny traffic and clicked Add to save the
- On the Associations tab, I clicked on Add association and selected HTTP Listener.
- Because I have only one Application Gateway, it was already pre-populated.
- In the Listeners menu, I selected Site2_Listener. This is the listener associated
with site2.hiteshvadgama.co.uk, which is the site I want to restrict access to.
- Click Review + create and Create.
- After the policy creates successfully, go ahead and review it. Notice in the Overview
blade that it is currently disabled.
When the policy is enabled, the rule I created should check the request against the
condition and block access from my local machine’s IP to site2.hiteshvadgama.co.uk
while still allowing access to site1.hiteshvadgama.co.uk.
Testing the custom rule
Before I enable the policy, I verify that I can currently access both site1 and
site2.hiteshvadgama.co.uk from my local machine. From the browser, I can reach the
simple HTML page I created on each site:
Now I go and enable the WAF policy:
When I now try to browse to site2.hiteshvadgama.co.uk, I get a
403 status error:
However, when I browse to site1.hiteshvadgama.co.uk, I still have access:
This series describes how to implement a per-site WAF policy with a custom rule to an
Application Gateway to control inbound access based on IP address-based restrictions.
Custom rules are very powerful, and you can use many other variables beyond IP address
matching to tailor rules to address-specific security policies for your web applications.
This Microsoft article
provides a great overview of the capabilities of custom rules and more advanced scenarios.
Learn more about our web application security services.
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.