I have the following setup in Azure:
- Public IP address (IPv4)
- Azure Application Gateway (Standard V2)
- V-NET with one subnet. AGW deployed to that subnet with 'Add IPv6 address space' checkbox disabled
- AppServices and Functions as backends
Everything is in West EU region if that matters.
I'm troubleshooting one problem and I noticed that AGW health probe does not contain an origin IPv4 address. I would expect a health probe request to originate from AGW subnet. In fact that's how it works in another environments with similar setups.
I have a simple Azure Function which I'm using for testing, it logs a list of IP addresses in X-Forwarded-From
header. Nothing fancy really:
if (request.Headers.TryGetValues("X-Forwarded-For", out var values)){
foreach(var val in values) log.LogInformation($"IP:{val}");
}
- When I call this function directly I can see one IP address there (an IP of my PC).
- When I call the AGW I can see three IPs (My PC's, Cloudflare's and one unknown IPv6 (???)).
- When AGW performs a health probe I can see just one IPv6 entry (same as above)
Where does this IPv6 (fde4:8dba:1200:xxxx:xxxx:xxx:xxxx:x
, looks like a ULA to me) address come from? Why don't I see an IPv4 address from the Subnet range?
And how can I enforce the IPv4 address to be present?
This situation breaks my IIS IP restriction rules.
I know I can whitelist IPv6 too:
<add ipAddress="2001:4898:2a:5:c4ad:9291:22b1:c870" subnetMask="ffff:ffff::" allowed="true" />
but that doesn't solve the mystery.
Make sure that you do not have the Microsoft.Web service endpoint enabled in your Application Gateway's subnet. That will cause traffic to App Services to be sent via that IPv6 endpoint instead of from the Application Gateway's public IP address.