問題描述
在使用 azure 流量管理器和 azure 應用程序網關與 WAF 時實現國家級阻止 (Achieve country level blocking while using azure traffic manager and azure application gateway with WAF)
我們為託管在 Azure 虛擬機上的 MVC C# Web 應用程序使用了帶有 Web 應用程序防火牆的 azure 流量管理器和 azure 應用程序網關。
出於安全原因,我們需要允許特定的 IP 地址和在國家一級阻止訪問。但是,我們無法找到在國家/地區級別阻止訪問並允許來自該國家/地區的特定 IP 地址的方法。
您能否指導實現此目的的方法/可行性? 需要任何其他 azure 服務,或者可以通過現有服務/配置來實現。
參考解法
方法 1:
We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.
From the network connectivity, the IP address only identifies the terminal device location. Also, the device location from a country is included in that country level. If you select to block some countries (for example, you can look at geo‑filtering with WAF for Azure Front Door) but this will block all IP addresses from that country as the WAF should work in front of the web app service or application gateway. So I don't think it's possible.
In fact, what you want is to allow some specific IP addresses, you can simply allow those IP addresses in the inbound rule of NSG which is associated with an application gateway subnet and whitelist your application gateway subnet in the NSG rule of backend Azure VMs without any other internet access. It will only allow that IP address to access your backend application through Azure Application Gateway. Read more details from this blog.
(by Akash Samal、Nancy Xiong)