I have RESTful API hosted on Azure. In order to restrict the access to it instead of implementing authentication/authorization I’ve decided to place it behind API Management service (APIM) and set an IP filter.
My ultimate goal is to allow only my Netlify hosted site to access it. But in order to do that I will need to make sure that my site is behind a single IP address and it doesn’t change. The reason for that is that I’ve noticed multiple cases where people are making reference to my API (probably from Postman, CURL or whatever HTTP issuer) without visiting my website.
Disclaimer: I am not a networking expert. I suppose that my site probably gets hosted dynamically on different IP addresses but anyways I decided to reach out for help.
It is possible to achieve your goal, but not in the way you have described.
The only static IP we have is our load balancer, but that is only for incoming traffic; since that is actually a group of CDN nodes and each individual CDN node has its own IP for outgoing connections, such as ones to your site when you proxy to it from our service. We do not publish that address list anywhere (and it changes a lot.)
So, how can you ensure that only Netlify traffic hits your backend? I am assuming you already proxy to the backend rather than calling it directly, and then you can use signed redirects to confirm the request comes from netlify: Rewrites and proxies | Netlify Docs
My Netlify-hosted site (React.js application) directly calls the back-end (Azure-hosted ASP.NET Core WebAPI). What would be the proxy in that case?
The back-end (Azure App Service) is “wrapped” with Azure API management service (APIM) as I have already mentioned. APIM is the place where different kind of rules and restrictions can be configured for the back-end.
Or you say that before my request goes from the Website to the back-end, Netlify can add some custom headers to it that I can check for them in the back-end?
Hi, @iuris.services.inc. When you proxy a request using Netlify, the IP address for the proxied request will be the IP address for the CDN node the client is connecting to.
Let’s pretend my IP address is 1.1.1.1 (that is Cloudflare’s IP address not mine - but let’s pretend I’m that awesome). Let’s say you Azure backend is 9.9.9.9 (which is isn’t but let’s pretend for simplicities sake).
So, if I make a request to a proxied URL my IP address connects to one of the many IP addresses that Netlify uses. Those IP address are subject to change at any time and there are multiple IP addresses for individual geographic regions. In other words, there will almost always be multiple IP addresses used.
Right now one of the IP addresses near me is 138.197.207.178.
The TCP packet flow looks like this:
1.1.1.1 (my computer) makes an HTTP request for the URL to 138.197.207.178.
138.197.207.178 sees this is a URL that should be proxied so it transforms the URL to the proxy target version and makes a new HTTP request to your backend at 9.9.9.9.
9.9.9.9 then send the HTTP response to 138.197.207.178.
138.197.207.178 proxies that response back to the client at 1.1.1.1
There are currently more than 80 IPv4 addresses for the standard CDN (and additional IPv6 addresses as well). These 80+ IP addresses are the IP addresses you backend will see the requests coming from. There is no way to use a single IP address.
For the header solution @fool mentioned, you can add custom headers to the proxied request and filter out any requests missing that header. The documentation for adding a header when proxying can be found here:
