Merge pull request #89473 from teresayao/patch-7

PRMerger8 · web-flow · commit 61c600d3813c · 2019-09-23T15:11:26.000-07:00
Update waf-front-door-configure-ip-restriction.md
diff --git a/articles/frontdoor/waf-front-door-configure-ip-restriction.md b/articles/frontdoor/waf-front-door-configure-ip-restriction.md
@@ -21,6 +21,8 @@ An IP address–based access control rule is a custom WAF rule that lets you con
 
 By default, your web application is accessible from the internet. If you want to limit access to clients from a list of known IP addresses or IP address ranges, you may create an IP matching rule that contains the list of IP addresses as matching values and sets operator to "Not" (negate is true) and the action to **Block**. After an IP restriction rule is applied, requests that originate from addresses outside this allowed list receive a 403 Forbidden response.  
 
+A client IP address can be different from the IP address WAF observes, for example, when a client accesses WAF via a proxy. You can create IP restriction rules based on either Client IP addresses (RemoteAddr) or Socket IP addresses seen by WAF (SocketAddr). 
+
 ## Configure a WAF policy with the Azure CLI
 
 ### Prerequisites
@@ -63,7 +65,7 @@ az network front-door waf-policy rule create \
   --resource-group <resource-group-name> \
   --policy-name IPAllowPolicyExampleCLI --defer
 ```
-Next, add match condition to the rule:
+Next, add client IP match condition to the rule:
 
 ```azurecli
 az network front-door waf-policy rule match-condition add\
@@ -75,7 +77,17 @@ az network front-door waf-policy rule match-condition add\
   --resource-group <resource-group-name> \
   --policy-name IPAllowPolicyExampleCLI 
   ```
-                                                   
+For Socket IP (SocketAddr) match condition:
+  ```azurecli
+az network front-door waf-policy rule match-condition add\
+--match-variable SocketAddr \
+--operator IPMatch
+--values "ip-address-range-1" "ip-address-range-2"
+--negate true\
+--name IPAllowListRule\
+  --resource-group <resource-group-name> \
+  --policy-name IPAllowPolicyExampleCLI                                                  
+
 ### Find the ID of a WAF policy 
 Find a WAF policy's ID by using the [az network front-door waf-policy show](/cli/azure/ext/front-door/network/front-door/waf-policy?view=azure-cli-latest#ext-front-door-az-network-front-door-waf-policy-show) command. Replace *IPAllowPolicyExampleCLI* in the following example with your unique policy that you created earlier.
 
@@ -137,7 +149,17 @@ $IPMatchCondition = New-AzFrontDoorWafMatchConditionObject `
 -MatchValue "ip-address-range-1", "ip-address-range-2"
 -NegateCondition 1
 ```
-     
+
+For Socket IP (SocketAddr) match condition:   
+```powershell
+$IPMatchCondition = New-AzFrontDoorWafMatchConditionObject `
+-MatchVariable  SocketAddr `
+-OperatorProperty IPMatch `
+-MatchValue "ip-address-range-1", "ip-address-range-2"
+-NegateCondition 1
+```
+
+
 ### Create a custom IP allow rule
 
 Use the [New-AzFrontDoorCustomRuleObject](/powershell/module/Az.FrontDoor/New-azfrontdoorwafcustomruleobject) command to define an action and set a priority. In the following example, requests not from client IPs that match the list will be blocked.
