Permit access only from Azure Front Door to Azure App Service as simply as possible
Published Dec 17 2020 07:52 PM 24K Views

[As of December 18, 2020]

Some customer asked me about the following topic.


"We use App Service for hosting applications and Azure Front Door as global L7 load balancer. We would like to permit access only from Azure Front Door to Azure App Service as simply as possible. Could you please share good solution with us?"


By default, each App Service has a public IP address and is accessible via FQDN from across the globe. If you simply deploy App Service(s) behind Azure Front Door, everyone can access App Service directly without using Azure Front Door. Therefore, we have to configure permit only access from Azure Front Door at App Service. If you were me, what do you think is a good solution?


What is Azure Front Door?

If you are not familiar with Azure Front Door, please read the following document.


What is Azure Front Door?


Access restrictions in App Service

The following document covers the topic I would like to know, but description is so simple that it would be hard to understand how to restrict access.


Access restrictions



I would like to walk through how to configure access restriction from other than Azure Front Door to App Service. If you can access Azure environment, I recommend doing it by yourself. In this article, I use quick start tutorial for Azure Front Door.


Quickstart: Create a Front Door for a highly available global web application


Note that ...

  • We can choose several options to configure Azure Front Door - Azure Portal, CLI, PowerShell, and ARM template. In this article, I use Azure Portal to configure access restriction.
  • Even if we don't create two App Service instances, we can test access restriction. You may follow the quick start tutorial dutifully, of course.:smile:


Create App Service instance

Following the tutorial, we can create simple App Service instances for backend service. Nothing special configuration is required. At this point, you should be able to access the instances via FQDN.

App Service 1.png



Configure Front Front Door

Following the tutorial, you can configure Azure Front Door. Note that we have to specify "App Service" when choosing "Backend host type".

FrontDoor 1.png

After specifying backend host type, we should see the following image.

FrontDoor 2.png

When all configuration is ready, click "Create" and wait a minute. When Azure Front Door is ready, we can test if access via Azure Front Door is available.

FrontDoor 3.png


At this point, we can still access App Service instances directly via FQDN since we have not configured access restrictions yet.


Configure access restriction for App Service instances

We open App Service instances created in the previous step in Azure Portal. And, we select "Settings" > "Networking" > "Access Restrictions" > "Configure Access Restrictions".

App Service 2.png


Clicking "Add rule", some screen appears from righthand where we create access restriction rule. 

We can specify some attributes as we like , e.g. name, priority, and description. And then, this the most important thing in this article! We have to choose "Service Tag (preview)" among several options of "type". When choosing "Service Tag (preview)", we can choose a service tag among options. In this case, we have to pick up "AzureFrontDoor.Backend" among them, and click "Add rule". 

If you create two App Service instances, you have to repeat to do these steps to the other instance.

App Service 4.png

That's it. It's simple, isn't it?


Give it a try!

First of all, we test access via Azure Front Door. This access is permitted and we can see the following image.

FrontDoor 4.png


How about direct access to App Service? This access is restricted and HTTP 403 returns. 

App Service 5.png



In this article, I describe a simple way of access restrictions when using Azure Front Door and App Service. If you would like to lock down the access to backend from only specified Azure Front Door, you have to follow the following passages to lock down.

How do I lock down the access to my backend to only Azure Front Door?

Restrict access to a specific Azure Front Door instance


As both documents above say, we can use Front Door ID to restrict access from the only specified Front Door instance. If the ID is set to “HTTP headers filter setting”, any requests containing other Front Door IDs than the specified ID are blocked.

Version history
Last update:
‎Jul 26 2021 06:44 PM
Updated by: