Relatively new to APIM xml policies so go easy on me
I basically want a policy that checks a header name (FrontDoorID) is correct. If that header name is correct, then it straight away should allow traffic through to the API.
However if that header name is incorrect, it should then check the IP address against the next part of the policy - an IP filter. If the IP filter matches, then it should allow traffic though.
If both are false, deny.
In summary, allow traffic through if either the header name OR the ip filter is correct.
Currently I have a policy that checks the header name and has a IP policy on it. What is happening at the minute is on my policy is traffic is being blocked from FrontDoor, even if the header name is correct, which I believe is due to the following IP Filter not having the ip from the backend of frontdoor included. FrontDoor.Backend service tag has a lot of IPs included, it would be impractical to have to include them in the ip filter as well.
I hope someone can make sense of this. Thank you for your help.
<policies>
<inbound>
<check-header name="X-Azure-FDID" failed-check-httpcode="403" failed-check-error-message="Invalid Front Door ID header." ignore-case="false">
<value>{FrontDoorId}</value>
</check-header>
<ip-filter action="allow">
<address>{IpAddress}</address>
</ip-filter>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
Example of basic policy. The policy I actually have on my environment is much larger, but this highlights the problem I am having. Above does not work as even if FrontDoorId is correct, policy fails when IPAddress is not correct. What I want is policy to allow traffic at least one is correct, but not necessarily both
You need something like this in your inbound section:
<choose>
<when condition="@(context.Request.Headers.GetValueOrDefault("X-Azure-FDID") != "{FrontDoorId}")">
<ip-filter action="allow">
<address>{IpAddress}</address>
</ip-filter>
</when>
</choose>