[As of December 18, 2020]
Some customer asked me about the following topic.
"We use App Service for hosting applications and Azure Front Door as global L7 load balancer. We would like to permit access only from Azure Front Door to Azure App Service as simply as possible. Could you please share good solution with us?"
By default, each App Service has a public IP address and is accessible via FQDN from across the globe. If you simply deploy App Service(s) behind Azure Front Door, everyone can access App Service directly without using Azure Front Door. Therefore, we have to configure permit only access from Azure Front Door at App Service. If you were me, what do you think is a good solution?
If you are not familiar with Azure Front Door, please read the following document.
What is Azure Front Door?
https://docs.microsoft.com/azure/frontdoor/front-door-overview
The following document covers the topic I would like to know, but description is so simple that it would be hard to understand how to restrict access.
Access restrictions
https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions
I would like to walk through how to configure access restriction from other than Azure Front Door to App Service. If you can access Azure environment, I recommend doing it by yourself. In this article, I use quick start tutorial for Azure Front Door.
Quickstart: Create a Front Door for a highly available global web application
https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door
https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door-powershell
https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door-cli
https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door-template
Note that ...
Following the tutorial, we can create simple App Service instances for backend service. Nothing special configuration is required. At this point, you should be able to access the instances via FQDN.
Following the tutorial, you can configure Azure Front Door. Note that we have to specify "App Service" when choosing "Backend host type".
After specifying backend host type, we should see the following image.
When all configuration is ready, click "Create" and wait a minute. When Azure Front Door is ready, we can test if access via Azure Front Door is available.
At this point, we can still access App Service instances directly via FQDN since we have not configured access restrictions yet.
We open App Service instances created in the previous step in Azure Portal. And, we select "Settings" > "Networking" > "Access Restrictions" > "Configure Access Restrictions".
Clicking "Add rule", some screen appears from righthand where we create access restriction rule.
We can specify some attributes as we like , e.g. name, priority, and description. And then, this the most important thing in this article! We have to choose "Service Tag (preview)" among several options of "type". When choosing "Service Tag (preview)", we can choose a service tag among options. In this case, we have to pick up "AzureFrontDoor.Backend" among them, and click "Add rule".
If you create two App Service instances, you have to repeat to do these steps to the other instance.
That's it. It's simple, isn't it?
First of all, we test access via Azure Front Door. This access is permitted and we can see the following image.
How about direct access to App Service? This access is restricted and HTTP 403 returns.
In this article, I describe a simple way of access restrictions when using Azure Front Door and App Service. If you would like to lock down the access to backend from only specified Azure Front Door, you have to follow the following passages to lock down.
How do I lock down the access to my backend to only Azure Front Door?
https://docs.microsoft.com/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backen...
Restrict access to a specific Azure Front Door instance
https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions#restrict-access-to-a-specif...
As both documents above say, we can use Front Door ID to restrict access from the only specified Front Door instance. If the ID is set to “HTTP headers filter setting”, any requests containing other Front Door IDs than the specified ID are blocked.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.