Unable to Access Web Application Despite IP Whitelisting in Azure WAF Policy

Hi @Shubham Sanap ,

Thank you for reaching out on Microsoft Q&A forum.

When you whitelist a public IP address in an Azure Front Door WAF policy, access can still fail if other Front Door or WAF conditions are blocking the request. Azure Front Door WAF evaluates the source IP it actually sees, not necessarily the IP shown on the client side. Microsoft documents that IP restriction rules should typically use the SocketAddr match variable, which represents the source IP seen by the WAF. If traffic is coming through a proxy, VPN, or corporate firewall, the visible public IP may differ from what the WAF evaluates, causing the rule not to match as expected. [learn.microsoft.com]

Another common cause is custom rule logic and priority. For allow‑list scenarios, Microsoft recommends using a “block all except allowed IPs” pattern (for example, Does not contain with Block action), because rule evaluation stops when a matching rule is hit. If an allow rule is used incorrectly or has a lower priority than a broader block rule, traffic can still be denied even from a whitelisted IP. [learn.microsoft.com]

To confirm whether the block is coming from WAF, we recommend checking WAF diagnostic logs in Log Analytics. These logs show the evaluated client IP, the rule that matched, and whether the request was blocked by WAF or forwarded to the backend. This is the authoritative way to determine why a request is denied.

If the above information isn't helpfull or if you are stuck, please share the details requested over Private message.

If the answer is helpful,please 'Accept the answer' and kindly upvote it. If you have extra questions about this answer, please click "Comment".