Good day,
As we know, creating IP based TLS binding (contrary to SNI binding) allocates a dedicated IP address to App Service webapp. But it still remains accessible via the IP shared with other webapps (including webapps of other customers).
In some situations I'd prefer to allow traffic via the dedicated IP only, blocking traffic via the shared one. Is it possible somehow to unbind the webapp from the shared endpoint?
(Why would I prefer this? Let's say, I place a some WAF-as-a-service in front of this app, so it would inspect the traffic. I can use Access Restrictions to limit access to my app for WAF address ranges only, but this won't help, if an attacker opens an account on the same WAF and points his own site to my IP. A remedy for this - the WAF service can register this IP as dedicated for my account, so other WAF users won't be able to point their sites to it. But, of course, I cannot do this with the shared Azure IP, because then legitimate WAF users having sites on Azure App Services will be affected).
Thanks, Mucius.
Apparently, it's cannot be done without additional components. But if I do this:
then this problem is solved, since Gateway's IP is not shared with other customers.