IP filtering in IIS running in the Amazon cloud

You can setup highly scalable webservices very easily in the Amazon EC2 cloud: just create two new virtual machines, connect them to a load balancer and you’re done! The dark clouds will begin to gather over your head, when you realize that the carefully setup IP filtering does not work in IIS, and anyone can access your website.

The problem is that the IIS running in the virtual machine sees the load balancer as the client, and not the original browser. (Obviously, IP filtering would work perfectly for that internal address, but I’m pretty sure you don’t need that.) If you don’t believe me, check your IIS log files.

Thankfully Amazon load balancers support the Proxy protocol which forwards the IP address of the real client in the X-Forwarded-For HTTP request header. By default IIS doesn’t log the value of this field, but you can add it to your logs with a few clicks:


The second good news is that you can configure IIS to use the X-Forwarded-For header for IP filtering. In IIS 7 you can do this with the Dynamic IP Restriction module, and from IIS 8 you can get this functionality built into the IP Address and Domain Restrictions module. It is not enabled by default, but you can activate it with a single click:



Technorati-címkék: ,,

4 thoughts on “IP filtering in IIS running in the Amazon cloud

  1. Joel Williams

    This seems to work for HTTP traffic, but doesn’t work with websockets which is a different protocol and doesn’t support X-Forwarded-For. Does this sound correct? When trying to implement an IIS application on AWS ELB, websockets doesn’t work, and we’re going to have to ditch ELB in favor of HAProxy or dumb round-robin DNS.

  2. Lukas Gibb

    Hi György,

    I just came across the ‘Proxy Protocol’ today and have been doing some research on whether it is compatible with IIS or not. So far my google-fu isn’t showing much except for your post which is very well written and well thought out. I saying that I believe the post contains some slightly incorrect information.

    Amazon no doubt support the Proxy Protocol and IIS definitely does have some basic support for ‘X-Forwarded-For’. The problem with your article is that I don’t think the ‘X-Forwarded-For’ header has anything to do with the ‘Proxy Protocol’. They are two completely different techniques for getting the Client’s IP to the web server.

    From my understanding, the X-Forwarded-For header was one of the ‘hacks’ that the Proxy Protocol was created to replace. See: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

    The X-Forwarded-For header will only work for HTTP traffic where the Load Balancer can add the header into the requests. Once the requests are encrypted with SSL, this method of passing the client’s IP address cannot be used. You would have to un-encrypt the traffic on the Load Balancer and then pass it to the web server in plain HTTP along with the new header.

    It looks like the settings in IIS that mention ‘Proxy Mode’ are not talking about ‘Proxy Protocol’ but merely tell IIS to read the X-Forwarded-For header when doing logging or IP address restrictions etc.

    ” In IIS 8.0, administrators can configure their server to examine the x-forwarded-for HTTP header in addition to the client IP address in order to determine which requests to block. This behavior is called “Proxy Mode.” ” (Source: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions#TOC301448453)

    I just thought I’d let you know, and anyone else that finds your post to hopefully save incorrect assumptions being made. I am going to keep digging myself and I REALLY hope that IIS can support the real Proxy Protocol as it seems like it is a very clever way of doing things and will make my life much easier.

    Hopefully Microsoft decide to catch up and support a technology that seems to be several years old now and is supported by most major *nix server applications (nginx, Apache, Postfix etc etc).

    If you disagree with me and/or you have found a way to make IIS work with Proxy Protocol, I’d definitely love to be proven wrong.

    All the best,


    1. György Balássy Post author

      Hello Lukas,

      I really appreciate your comment with the detailed explanation, and I think you are right. When I wrote this post about 18 months ago, we had the issue I mentioned in the first paragraph, and we could solve it just as I documented here: by enabling proxy protocol in Amazon, and by filtering for the header in IIS. You are right, I shouldn’t have to connect those two together.

      Thanks again.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s