How to block anonymous IPs using Azure WAF?

We use Azure and Azure WAF and want to block proxy and VPN traffic. I see that AWS has a managed list of anonymous IPs which looks like it makes it easy to block these IPs. Does Azure have a similar service.

If not, is there any best practice for blocking requests from proxy/VPN IPs?

I see that there are a number of services (eg. IP2Location, MaxMind, Queue-it, IPHub) that provide lists of these IPs, but I’m not sure about the best way to use these to block traffic from Azure. Any advice would be much appreciated.

It is poorly documented but there is default feature/rule that blocks bots. This bot rule does a lot more then blocking bots. The bot rule contains malicious IP’s and is updated trough Microsoft Threat Intelligence Feed. The Microsoft Threat intelligence feed is pretty good.

Still I can understand your question. I’m also curious if it is possible to use custom blocklists that are updated on regularly bases.

I don’t think there’s a built in ability to pull in IP lists from other sources but you could automate it.

  • Web call to dump list of IPs
  • Create rule definition with PowerShell
  • Apply new rule definition
  • Schedule to run daily via Azure Automation

This isn’t exactly what you are looking for but if you are using Azure Sentinel you could do the following;

  1. Get all IPs into sentinel (syslog, etc)
  2. Enrich IPs to see which ones are bad
  3. Use logic apps to do an action based on what is returned in Json
  4. Block IPs on the waf?

as is explained here

WAF currently has the following functions: SQL injection protection, cross-site script protection, protection against common Web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attacks, protection against HTTP protocol violations, and protection against HTTP protocol anomalies, such as missing host user agents and accept headers. Prevent automatics, crawlers, and scanners from detecting common application error configurations (i.e., Apache, IIS, and so on). Do not know your question to the specific operation, this function may be difficult to achieve?