If you are using Power Pages and want to limit traffic to it, you can use IP restrictions without enabling the WAF. However, you can also limit access with the WAF enabled, avoiding unnecessary visits and minimising security risks.
First, enable the Web Application Firewall and the Content Delivery Network, as this is a prerequisite for using the WAF service.
Navigate to make.powerpages.microsoft.com portal, choose the Power Pages site and select the Edit button.
On the left-hand side menu, go to Security – Web application firewall
There are two tabs displayed from left to right: Custom rules and Managed rules.
Custom Rules
With Power Pages, you can set up your own Web Application Firewall (WAF) rules to block, allow, or limit traffic in the way that suits you.
For example, you might restrict access by IP range or block certain query strings. You choose the rules and actions, so your security fits your needs.
The matrix below shows the rules I created for my demo, which allow access to only three IPs while blocking access to the Power Pages site for all others.
| Rule name | Rule type | Match type | Match variable | Ip address or range | Traffic settings |
| AllowLocation01 | Match | IP address | RemoteAddr | #.##.##.## | Allow |
| AllowLocation02 | Match | IP address | RemoteAddr | ##.##.##.## | Allow |
| AllowLocation03 | Match | IP address | RemoteAddr | ##.##.##.## | Allow |
| Rule name | Rule type | Match type | Match value | Traffic settings |
| BlockAllOtherLocations | Match | Request URI | / | Deny |
WAF Managed Rules
WAF Managed Rules are built on Azure Front Door and automatically block threats such as SQL injection, XSS, and other OWASP Top 10 vulnerabilities before they reach your site. You don’t need to set up anything complicated or have security expertise.
What do I like most about this?
What do I like most about this?
It gives everyone the same strong protection. Enterprise-level security is built into the platform, so you can focus on building rather than worrying.
