Integrate Azure Front Door with Azure API Management

Published Aug 17 2021 12:33 AM 4,037 Views
Microsoft

Overview

Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.

 

Azure Front Door supports dynamic site acceleration (DSA), TLS/SSL offloading and end to end TLS, Web Application Firewall, cookie-based session affinity, url path-based routing, free certificates and multiple domain management, and others. For a full list of supported features, see Overview of Azure Front Door. It provides built-in DDoS protection and application layer security and caching.

 

This article demonstrates detailed steps to setup Azure Front Door in front of Azure API Management and the steps to restrict APIM accept traffic only from Azure Front Door.

 

Availability

Important

Azure Front Door needs a public VIP or a publicly available DNS name to route the traffic to.

 

So, if you want to integrate Azure Front Door directly with APIM, APIM should be deployed in public internet or deployed as external VNet mode. The APIM instance should be accessible from external load balancer.

 

Part 1. Create an APIM instance from Azure Portal

Readers of this article should be quite familiar with APIM, so I am not going to write too much in this part. Please refer to this documentation for detailed steps: https://docs.microsoft.com/en-us/azure/api-management/get-started-create-service-instance.

 

The only thing we need to pay attention to is that we should choose None or External for the Virtual Network Type when creating APIM instance (we can also switch the type later after the creation as well).

 
 
 

Picture1.png

 

Part 2. Create a Front Door from Azure Portal

Here is the official documentation we can follow to create one Azure Front Door: https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door.

 

Step 1. Basics

From the home page or the Azure menu, select Create a resource. Select Networking > See All > Front Door.

In the Basics tab of Create a Front Door page, enter or select the following information, and then select Next: Configuration.

Picture2.png

 

Please note that Azure Front Door is a global service and is not tied to any specific Azure region. The only location you need to specify while creating a Front Door is the resource group location, which is basically specifying where the metadata for the resource group will be stored. Front Door resource itself is created as a global resource and the configuration is deployed globally to all edge locations.

 

Step 2. Configuration

Configuring Front Door happens in three steps: Adding a frontend host, configuring your backends in a backend pool and finally a routing rule that connects your frontend to the backend pool.

 

Frontends/domains:

  1. In Frontends/domains, select + to open Add a frontend host.
  2. For Host name, enter a globally unique hostname. Then Select Add.

Picture3.png

 

The hostname here is the default hostname you can use to access Azure Front Door after you publish it. You can also configure Session Affinity or associate Web Application Firewall Policy in this part.

 

Backend pools

Backend pools can be composed of Storage, Web App, Kubernetes instances, or any other custom hostname that has public connectivity. Azure Front Door requires that the backends are defined either via a public IP or a publicly resolvable DNS hostname. Members of backend pools can be across zones, regions, or even outside of Azure as long as they have public connectivity.

  1. Still in Create a Front Door, in Backend pools, select + to open Add a backend pool.
  2. For Name, enter APIMBackend, then select Add a backend.
  3. In the Backend host type dropdown, chose API Management. Select the APIM instance you want to expose via AFD in your subscription.

Picture4.png

*Leave all other fields default.

 

4. Back to Backend Pool page, we also need to change the default Health Probes settings. Set the Path with the health probe path for gateway endpoint: “/status-0123456789abcdef” and change the Probe method to GET. This URL always returns 200 OK if APIM service is up and running healthy.

Picture1.png

 

 

You can also use the custom domain of APIM instance in the Backend host name field. But please note if you are going to route traffic using HTTPS via port 443, only certificates from valid Certificate Authorities can be used at the backend with Front Door. Certificates from internal CAs or self-signed certificates aren't allowed. The certificate must have a complete certificate chain with leaf and intermediate certificates, and root CA must be part of the Microsoft Trusted CA List. Otherwise the HTTPS traffic might fail. Please ensure that you use the valid CA signed certificate for your custom domain.

 

Routing rules

Next, add a routing rule. A routing rule maps your frontend host to the backend pool. We are going to Route All traffic from this specific Front Door host to APIM instance.

  1. Still in Create a Front Door, in Routing rules, select + to configure a routing rule.
  2. In Add a rule, for Name, enter APIMDirectRule. Accept all the default values, then select Add to add the routing rule.

Picture8.png

 

Azure Front Door supports TLS/SSL offload, and end to end TLS, which re-encrypts the traffic to the backend. In fact, since the connections to the APIM happen over its public IP, it is recommended that you configure your Front Door to use HTTPS as the forwarding protocol.

 

Final Step

Finally, Select Review + Create, and then Create.

Picture9.png

 

Part 3. Test Integration

Once the provision complete, your request will automatically get routed to the APIM instance configured in Backend Pool. We can use Postman to test the integration.

 

First, test with calling APIM instance directly. We use the default sample API in APIM (Echo API). We can get 200 OK back successfully.

Picture10.png

 

Then replace the host domain from “momorin.azure-api.net” to “xinmeng.azurefd.net” then test again in Postman. We can see the request is forwarded to APIM, and we can get 200 OK back successfully as well.

Picture11.png

 

We can observe that in Http Response header ‘X-Forwarded-For’, the value after the comma is the IP used by AFD to forward request to APIM. In APIM the IP “147.243.0.204” is treated as client incoming IP.

 

Part 4. Restrict Incoming Traffic

Next, how can we ensure our APIM instance only accept requests from Azure Front Door so that all traffic is protected/filtered by Azure Front Door first?

 

As mentioned in the official document: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-...,  to lock down APIM to accept traffic only from specific Front Door, we will need to set up IP ACLs for APIM instance and then restrict the traffic to the specific value of the header 'X-Azure-FDID' sent by Front Door.

 

Step 1: Restrict Inbound IP

Restrict Inbound IP to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only.

 

External Virtual Network Type APIM

For APIM instance deployed as external VNet mode, we can simply restrict the incoming IP using inbound rule in the network security groups of your APIM subnet.

  • Allow service tag AzureFrontDoor.Backend in inbound rule for port 443.

Picture12.png

 

 

None Virtual Network Type APIM

If your APIM service isn’t deployed into Vnet (None for the Virtual Network type), then there’s nowhere you can put the inbound rule in. But you can still leverage APIM IP restriction policy to achieve this goal. See policy doc here: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#Res...

  • Allow Azure Front Door Backend Ips. Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4 backend IP address range.

Picture13.png

 

Please find sample policy below:  

<ip-filter action="allow">

<address>168.63.129.16 </address>

<address>169.254.169.254</address>

<address-range from="13.73.248.17" to="13.73.248.22" />

<address-range from="147.243.0.1" to="147.243.255.254" />

</ip-filter>

 

I didn’t list all IP rules in the policy, please supplement as needed. Please put the policy in API inbound policy part.

 

When callers access APIM gateway endpoint with client IP which is not in the allowed IP list, they will get 403 forbidden response back. While requests go through Front Door will always get 200 OK.

Picture14.png

 

Picture15.png

 

 

Step 2: Filter HTTP Request Header

You can also filter incoming request based on one HTTP request header named 'X-Azure-FDID'. Azure Front Door will send this header to APIM with its unique Front Door ID.

 

You can find the Front Door ID value under the Overview section from Front Door portal page.

 

This can ensure only your own specific Front Door instance is allowed by APIM service. (because the IP ranges above are shared with other Front Door instances of other customers).

 

We can leverage APIM check-header policy to achieve this. See policy doc here: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#Che...

 

See sample policy below:

        <check-header name="X-Azure-FDID" failed-check-httpcode="403" failed-check-error-message="frontdoorID mismatch" ignore-case="false">

           <value>{Frontdoor ID}</value>

        </check-header>

 

Additional

There are still some more topics worth to check which are not listed in this article. Like how to setup WAF (Web Application Firewall) in Azure Front Door, how to add custom domain to Azure Front Door, and the Load Balancing in Azure Front Door.

Below listed some related official documentations for above topics for your reference:

 

https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-waf
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-routing-methods

 

%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2654925%22%20slang%3D%22en-US%22%3EIntegrate%20Azure%20Front%20Door%20with%20Azure%20API%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2654925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EOverview%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EAzure%20Front%20Door%20is%20a%20global%2C%20scalable%20entry-point%20that%20uses%20the%20Microsoft%20global%20edge%20network%20to%20create%20fast%2C%20secure%2C%20and%20widely%20scalable%20web%20applications.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Front%20Door%20supports%20dynamic%20site%20acceleration%20(DSA)%2C%20TLS%2FSSL%20offloading%20and%20end%20to%20end%20TLS%2C%20Web%20Application%20Firewall%2C%20cookie-based%20session%20affinity%2C%20url%20path-based%20routing%2C%20free%20certificates%20and%20multiple%20domain%20management%2C%20and%20others.%20For%20a%20full%20list%20of%20supported%20features%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Azure%20Front%20Door%3C%2FA%3E.%20It%20provides%20built-in%20DDoS%20protection%20and%20application%20layer%20security%20and%20caching.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20demonstrates%20detailed%20steps%20to%20setup%20Azure%20Front%20Door%20in%20front%20of%20Azure%20API%20Management%20and%20the%20steps%20to%20restrict%20APIM%20accept%20traffic%20only%20from%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--381071463%22%20id%3D%22toc-hId--381071313%22%3E%3CSTRONG%3EAvailability%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3EImportant%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20Front%20Door%20needs%20a%20public%20VIP%20or%20a%20publicly%20available%20DNS%20name%20to%20route%20the%20traffic%20to.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20if%20you%20want%20to%20integrate%20Azure%20Front%20Door%20directly%20with%20APIM%2C%20APIM%20should%20be%20deployed%20in%20public%20internet%20or%20deployed%20as%20external%20VNet%20mode.%20The%20APIM%20instance%20should%20be%20accessible%20from%20external%20load%20balancer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EPart%201.%20Create%20an%20APIM%20instance%20from%20Azure%20Portal%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EReaders%20of%20this%20article%20should%20be%20quite%20familiar%20with%20APIM%2C%20so%20I%20am%20not%20going%20to%20write%20too%20much%20in%20this%20part.%20Please%20refer%20to%20this%20documentation%20for%20detailed%20steps%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fget-started-create-service-instance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fget-started-create-service-instance%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20only%20thing%20we%20need%20to%20pay%20attention%20to%20is%20that%20we%20should%20choose%20None%20or%20External%20for%20the%20Virtual%20Network%20Type%20when%20creating%20APIM%20instance%20(we%20can%20also%20switch%20the%20type%20later%20after%20the%20creation%20as%20well).%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorXinmeng_Wang_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorXinmeng_Wang_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorXinmeng_Wang_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303656i51A0110B69208C63%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EPart%202.%20Create%20a%20Front%20Door%20from%20Azure%20Portal%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20official%20documentation%20we%20can%20follow%20to%20create%20one%20Azure%20Front%20Door%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Fquickstart-create-front-door%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Fquickstart-create-front-door%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2106441370%22%20id%3D%22toc-hId-2106441520%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-298986907%22%20id%3D%22toc-hId-298987057%22%3E%3CSTRONG%3EStep%201.%20Basics%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3EFrom%20the%20home%20page%20or%20the%20Azure%20menu%2C%20select%26nbsp%3B%3CSTRONG%3ECreate%20a%20resource%3C%2FSTRONG%3E.%20Select%26nbsp%3B%3CSTRONG%3ENetworking%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3ESee%20All%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3EFront%20Door%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3EIn%20the%26nbsp%3B%3CSTRONG%3EBasics%3C%2FSTRONG%3E%26nbsp%3Btab%20of%26nbsp%3B%3CSTRONG%3ECreate%20a%20Front%20Door%3C%2FSTRONG%3E%26nbsp%3Bpage%2C%20enter%20or%20select%20the%20following%20information%2C%20and%20then%20select%26nbsp%3B%3CSTRONG%3ENext%3A%20Configuration%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303657i87A1F844116AE171%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture2.png%22%20alt%3D%22Picture2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20note%20that%20Azure%20Front%20Door%20is%20a%20%3CSTRONG%3Eglobal%20service%3C%2FSTRONG%3E%20and%20is%20not%20tied%20to%20any%20specific%20Azure%20region.%20The%20only%20location%20you%20need%20to%20specify%20while%20creating%20a%20Front%20Door%20is%20the%20resource%20group%20location%2C%20which%20is%20basically%20specifying%20where%20the%20metadata%20for%20the%20resource%20group%20will%20be%20stored.%20Front%20Door%20resource%20itself%20is%20created%20as%20a%20global%20resource%20and%20the%20configuration%20is%20deployed%20globally%20to%20all%20edge%20locations.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1508467556%22%20id%3D%22toc-hId--1508467406%22%3E%3CSTRONG%3EStep%202.%20Configuration%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3EConfiguring%20Front%20Door%20happens%20in%20three%20steps%3A%20Adding%20a%20frontend%20host%2C%20configuring%20your%20backends%20in%20a%20backend%20pool%20and%20finally%20a%20routing%20rule%20that%20connects%20your%20frontend%20to%20the%20backend%20pool.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFrontends%2Fdomains%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EIn%26nbsp%3B%3CSTRONG%3EFrontends%2Fdomains%3C%2FSTRONG%3E%2C%20select%26nbsp%3B%3CSTRONG%3E%2B%3C%2FSTRONG%3E%26nbsp%3Bto%20open%26nbsp%3B%3CSTRONG%3EAdd%20a%20frontend%20host%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EFor%26nbsp%3B%3CSTRONG%3EHost%20name%3C%2FSTRONG%3E%2C%20enter%20a%20globally%20unique%20hostname.%20Then%20Select%26nbsp%3B%3CSTRONG%3EAdd%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture3.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303658iF8FEA2E89FA5B1BA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture3.png%22%20alt%3D%22Picture3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20hostname%20here%20is%20the%20default%20hostname%20you%20can%20use%20to%20access%20Azure%20Front%20Door%20after%20you%20publish%20it.%20You%20can%20also%20configure%20Session%20Affinity%20or%20associate%20Web%20Application%20Firewall%20Policy%20in%20this%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-979045277%22%20id%3D%22toc-hId-979045427%22%3E%3CSTRONG%3EBackend%20pools%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3EBackend%20pools%20can%20be%20composed%20of%20Storage%2C%20Web%20App%2C%20Kubernetes%20instances%2C%20or%20any%20other%20custom%20hostname%20that%20has%20public%20connectivity.%20Azure%20Front%20Door%20requires%20that%20the%20backends%20are%20defined%20either%20via%20a%20public%20IP%20or%20a%20publicly%20resolvable%20DNS%20hostname.%20Members%20of%20backend%20pools%20can%20be%20across%20zones%2C%20regions%2C%20or%20even%20outside%20of%20Azure%20as%20long%20as%20they%20have%20public%20connectivity.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EStill%20in%26nbsp%3B%3CSTRONG%3ECreate%20a%20Front%20Door%3C%2FSTRONG%3E%2C%20in%26nbsp%3B%3CSTRONG%3EBackend%20pools%3C%2FSTRONG%3E%2C%20select%26nbsp%3B%3CSTRONG%3E%2B%3C%2FSTRONG%3E%26nbsp%3Bto%20open%26nbsp%3B%3CSTRONG%3EAdd%20a%20backend%20pool%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EFor%26nbsp%3B%3CSTRONG%3EName%3C%2FSTRONG%3E%2C%20enter%26nbsp%3B%3CEM%3EAPIMBackend%3C%2FEM%3E%2C%20then%20select%26nbsp%3B%3CSTRONG%3EAdd%20a%20backend%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20Backend%20host%20type%20dropdown%2C%20chose%20API%20Management.%20Select%20the%20APIM%20instance%20you%20want%20to%20expose%20via%20AFD%20in%20your%20subscription.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture4.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303659iD04B769F2EAB7BC4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture4.png%22%20alt%3D%22Picture4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E*Leave%20all%20other%20fields%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E4.%20Back%20to%20Backend%20Pool%20page%2C%20we%20also%20need%20to%20change%20the%20default%20Health%20Probes%20settings.%20Set%20the%20%3CSTRONG%3EPath%3C%2FSTRONG%3E%20with%20the%20health%20probe%20path%20for%20gateway%20endpoint%3A%20%E2%80%9C%3CSTRONG%3E%2Fstatus-0123456789abcdef%3C%2FSTRONG%3E%E2%80%9D%20and%20change%20the%20%3CSTRONG%3EProbe%20method%3C%2FSTRONG%3E%20to%20%3CSTRONG%3EGET%3C%2FSTRONG%3E.%20This%20URL%20always%20returns%20200%20OK%20if%20APIM%20service%20is%20up%20and%20running%20healthy.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303935iCDBBC001EA15BFBF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20the%20custom%20domain%20of%20APIM%20instance%20in%20the%20Backend%20host%20name%20field.%20But%20please%20note%20if%20you%20are%20going%20to%20route%20traffic%20using%20HTTPS%20via%20port%20443%2C%20only%20certificates%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fccadb-public.secure.force.com%2Fmicrosoft%2FIncludedCACertificateReportForMSFT%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Evalid%20Certificate%20Authorities%3C%2FA%3E%26nbsp%3Bcan%20be%20used%20at%20the%20backend%20with%20Front%20Door.%20Certificates%20from%20internal%20CAs%20or%20self-signed%20certificates%20aren't%20allowed.%20%3CSTRONG%3EThe%20certificate%20must%20have%20a%20complete%20certificate%20chain%20with%20leaf%20and%20intermediate%20certificates%2C%20and%20root%20CA%20must%20be%20part%20of%20the%26nbsp%3B%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fccadb-public.secure.force.com%2Fmicrosoft%2FIncludedCACertificateReportForMSFT%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSTRONG%3EMicrosoft%20Trusted%20CA%20List%3C%2FSTRONG%3E%3C%2FA%3E.%20Otherwise%20the%20HTTPS%20traffic%20might%20fail.%20Please%20ensure%20that%20you%20use%20the%20valid%20CA%20signed%20certificate%20for%20your%20custom%20domain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--828409186%22%20id%3D%22toc-hId--828409036%22%3E%3CSTRONG%3ERouting%20rules%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3ENext%2C%20add%20a%20routing%20rule.%20A%20routing%20rule%20maps%20your%20frontend%20host%20to%20the%20backend%20pool.%20We%20are%20going%20to%20Route%20All%20traffic%20from%20this%20specific%20Front%20Door%20host%20to%20APIM%20instance.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EStill%20in%26nbsp%3B%3CSTRONG%3ECreate%20a%20Front%20Door%3C%2FSTRONG%3E%2C%20in%26nbsp%3B%3CSTRONG%3ERouting%20rules%3C%2FSTRONG%3E%2C%20select%26nbsp%3B%3CSTRONG%3E%2B%3C%2FSTRONG%3E%26nbsp%3Bto%20configure%20a%20routing%20rule.%3C%2FLI%3E%0A%3CLI%3EIn%26nbsp%3B%3CSTRONG%3EAdd%20a%20rule%3C%2FSTRONG%3E%2C%20for%26nbsp%3B%3CSTRONG%3EName%3C%2FSTRONG%3E%2C%20enter%26nbsp%3B%3CEM%3EAPIMDirectRule%3C%2FEM%3E.%20Accept%20all%20the%20default%20values%2C%20then%20select%26nbsp%3B%3CSTRONG%3EAdd%3C%2FSTRONG%3E%26nbsp%3Bto%20add%20the%20routing%20rule.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture8.png%22%20style%3D%22width%3A%20533px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303661iE56A8673AC4A0B62%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture8.png%22%20alt%3D%22Picture8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Front%20Door%20supports%20TLS%2FSSL%20offload%2C%20and%20end%20to%20end%20TLS%2C%20which%20re-encrypts%20the%20traffic%20to%20the%20backend.%20In%20fact%2C%20since%20the%20connections%20to%20the%20APIM%20happen%20over%20its%20public%20IP%2C%20it%20is%20recommended%20that%20you%20configure%20your%20Front%20Door%20to%20use%20HTTPS%20as%20the%20forwarding%20protocol.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFinal%20Step%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFinally%2C%20Select%26nbsp%3B%3CSTRONG%3EReview%20%2B%20Create%3C%2FSTRONG%3E%2C%20and%20then%26nbsp%3B%3CSTRONG%3ECreate%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture9.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303662i11A33C3A25A3230D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture9.png%22%20alt%3D%22Picture9.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EPart%203.%20Test%20Integration%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EOnce%20the%20provision%20complete%2C%20your%20request%20will%20automatically%20get%20routed%20to%20the%26nbsp%3BAPIM%20instance%20configured%20in%20Backend%20Pool.%20We%20can%20use%20Postman%20to%20test%20the%20integration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%2C%20test%20with%20calling%20APIM%20instance%20directly.%20We%20use%20the%20default%20sample%20API%20in%20APIM%20(Echo%20API).%20We%20can%20get%20200%20OK%20back%20successfully.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture10.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303663iE9B6F805DC26A7C9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture10.png%22%20alt%3D%22Picture10.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20replace%20the%20host%20domain%20from%20%E2%80%9Cmomorin.azure-api.net%E2%80%9D%20to%20%E2%80%9Cxinmeng.azurefd.net%E2%80%9D%20then%20test%20again%20in%20Postman.%20We%20can%20see%20the%20request%20is%20forwarded%20to%20APIM%2C%20and%20we%20can%20get%20200%20OK%20back%20successfully%20as%20well.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture11.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303664iB56858D8212FB28F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture11.png%22%20alt%3D%22Picture11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20observe%20that%20in%20Http%20Response%20header%20%E2%80%98X-Forwarded-For%E2%80%99%2C%20the%20value%20after%20the%20comma%20is%20the%20IP%20used%20by%20AFD%20to%20forward%20request%20to%20APIM.%20In%20APIM%20the%20IP%20%E2%80%9C147.243.0.204%E2%80%9D%20is%20treated%20as%20client%20incoming%20IP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EPart%204.%20Restrict%20Incoming%20Traffic%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3ENext%2C%20how%20can%20we%20ensure%20our%20APIM%20instance%20only%20accept%20requests%20from%20Azure%20Front%20Door%20so%20that%20all%20traffic%20is%20protected%2Ffiltered%20by%20Azure%20Front%20Door%20first%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20mentioned%20in%20the%20official%20document%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-%3C%2FA%3E%2C%20%26nbsp%3Bto%20lock%20down%20APIM%20to%20accept%20traffic%20only%20from%20specific%20Front%20Door%2C%20we%20will%20need%20to%20set%20up%20IP%20ACLs%20for%20APIM%20instance%20and%20then%20restrict%20the%20traffic%20to%20the%20specific%20value%20of%20the%20header%20'X-Azure-FDID'%20sent%20by%20Front%20Door.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%201%3A%20Restrict%20Inbound%20IP%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ERestrict%20Inbound%20IP%20to%20accept%20traffic%20from%20Azure%20Front%20Door's%20backend%20IP%20address%20space%20and%20Azure's%20infrastructure%20services%20only.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExternal%20Virtual%20Network%20Type%20APIM%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFor%20APIM%20instance%20deployed%20as%20external%20VNet%20mode%2C%20we%20can%20simply%20restrict%20the%20incoming%20IP%20using%20inbound%20rule%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fnetwork-security-groups-overview%23security-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Enetwork%20security%20groups%3C%2FA%3E%20of%20your%20APIM%20subnet.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllow%20service%20tag%20%3CEM%3EAzureFrontDoor.Backend%3C%2FEM%3E%20in%20inbound%20rule%20for%20port%20443.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture12.png%22%20style%3D%22width%3A%20528px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303665i9090CAF97F99940B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture12.png%22%20alt%3D%22Picture12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllow%20incoming%20traffic%20from%20Azure's%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fnetwork-security-groups-overview%23azure-platform-considerations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ebasic%20infrastructure%20services%3C%2FA%3E%26nbsp%3Bthrough%20virtualized%20host%20IP%20addresses%3A%26nbsp%3B168.63.129.16%26nbsp%3Band%26nbsp%3B169.254.169.254%3C%2FLI%3E%0A%3CLI%3EBe%20careful%20not%20to%20forget%20to%20allow%20all%20necessary%20inbound%20rules%20for%20APIM%20deployed%20in%20VNet%20mentioned%20in%20this%20doc%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-using-with-vnet%23-common-network-configuration-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-using-with-vnet%23-common-network-configuration-issues%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EDeny%20all%20other%20incoming%20traffic%20to%20the%20subnet.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENone%20Virtual%20Network%20Type%20APIM%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20your%20APIM%20service%20isn%E2%80%99t%20deployed%20into%20Vnet%20(None%20for%20the%20Virtual%20Network%20type)%2C%20then%20there%E2%80%99s%20nowhere%20you%20can%20put%20the%20inbound%20rule%20in.%20But%20you%20can%20still%20leverage%20APIM%20IP%20restriction%20policy%20to%20achieve%20this%20goal.%20See%20policy%20doc%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23RestrictCallerIPs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23RestrictCallerIPs%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllow%20Azure%20Front%20Door%20Backend%20Ips.%20Refer%26nbsp%3B%3CEM%3EAzureFrontDoor.Backend%3C%2FEM%3E%26nbsp%3Bsection%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D56519%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20IP%20Ranges%20and%20Service%20Tags%3C%2FA%3E%26nbsp%3Bfor%20Front%20Door's%20IPv4%20backend%20IP%20address%20range.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture13.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303666i41E322003AD5E80A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture13.png%22%20alt%3D%22Picture13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllow%20Azure's%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fnetwork-security-groups-overview%23azure-platform-considerations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ebasic%20infrastructure%20services%3C%2FA%3E%26nbsp%3Bthrough%20virtualized%20host%20IP%20addresses%3A%26nbsp%3B168.63.129.16%26nbsp%3Band%26nbsp%3B169.254.169.254.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EPlease%20find%20sample%20policy%20below%3A%20%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CIP-FILTER%20action%3D%22%26quot%3Ballow%26quot%3B%22%3E%3C%2FIP-FILTER%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CADDRESS%3E168.63.129.16%26nbsp%3B%3C%2FADDRESS%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CADDRESS%3E169.254.169.254%3C%2FADDRESS%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%E2%80%A6%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CADDRESS-RANGE%20from%3D%22%26quot%3B13.73.248.17%26quot%3B%22%20to%3D%22%26quot%3B13.73.248.22%26quot%3B%22%3E%3C%2FADDRESS-RANGE%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%E2%80%A6%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CADDRESS-RANGE%20from%3D%22%26quot%3B147.243.0.1%26quot%3B%22%20to%3D%22%26quot%3B147.243.255.254%26quot%3B%22%3E%3C%2FADDRESS-RANGE%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%E2%80%A6%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CP%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20didn%E2%80%99t%20list%20all%20IP%20rules%20in%20the%20policy%2C%20please%20supplement%20as%20needed.%20Please%20put%20the%20policy%20in%20API%20inbound%20policy%20part.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20callers%20access%20APIM%20gateway%20endpoint%20with%20client%20IP%20which%20is%20not%20in%20the%20allowed%20IP%20list%2C%20they%20will%20get%20403%20forbidden%20response%20back.%20While%20requests%20go%20through%20Front%20Door%20will%20always%20get%20200%20OK.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture14.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303667i846A9B84A3A8B8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture14.png%22%20alt%3D%22Picture14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Picture15.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303668i30DB4DBDF05DF716%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture15.png%22%20alt%3D%22Picture15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%20Filter%20HTTP%20Request%20Header%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20incoming%20request%20based%20on%20one%20HTTP%20request%20header%20named%20'%3CSTRONG%3EX-Azure-FDID%3C%2FSTRONG%3E'.%20Azure%20Front%20Door%20will%20send%20this%20header%20to%20APIM%20with%20its%20unique%20Front%20Door%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%26nbsp%3BFront%20Door%20ID%26nbsp%3Bvalue%20under%20the%20Overview%20section%20from%20Front%20Door%20portal%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20ensure%20only%20your%20own%20specific%20Front%20Door%20instance%20is%20allowed%20by%20APIM%20service.%20(because%20the%20IP%20ranges%20above%20are%20shared%20with%20other%20Front%20Door%20instances%20of%20other%20customers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20leverage%20APIM%20check-header%20policy%20to%20achieve%20this.%20See%20policy%20doc%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-access-restriction-policies%23CheckHTTPHeader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20sample%20policy%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CCHECK-HEADER%20name%3D%22%26quot%3BX-Azure-FDID%26quot%3B%22%20failed-check-httpcode%3D%22%26quot%3B403%26quot%3B%22%20failed-check-error-message%3D%22%26quot%3BfrontdoorID%22%20mismatch%3D%22%22%3E%3C%2FCHECK-HEADER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CVALUE%3E%7BFrontdoor%20ID%7D%3C%2FVALUE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EAdditional%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20still%20some%20more%20topics%20worth%20to%20check%20which%20are%20not%20listed%20in%20this%20article.%20Like%20how%20to%20setup%20WAF%20(Web%20Application%20Firewall)%20in%20Azure%20Front%20Door%2C%20how%20to%20add%20custom%20domain%20to%20Azure%20Front%20Door%2C%20and%20the%20Load%20Balancing%20in%20Azure%20Front%20Door.%3C%2FP%3E%0A%3CP%3EBelow%20listed%20some%20related%20official%20documentations%20for%20above%20topics%20for%20your%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fafds-overview%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600517778%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DB3dH9K161Qok25VCyggeInPAkwi%252B9LMbi%252Bk%252Fw2YPAUQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fafds-overview%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffrontdoor%252Ffront-door-waf%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dt%252FboEjjFJlHJXbg9d8wr7XxzJg5mgLK%252BNdViCwBb3C4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-waf%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fweb-application-firewall%252Fafds%252Fwaf-front-door-create-portal%26amp%3Bdata%3D04%257C01%257Cericchan%2540kbquest.com%257Ce9736742c8c842d282c508d95c8181c4%257C3d42a1ced4c646d3b7794cc894df44b5%257C0%257C0%257C637642533600527772%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgvkHeQOle%252FtX1KWFN7nS6JUvLO%252B7nSI8IOY7KpC8%252FTM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fafds%2Fwaf-front-door-create-portal%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-custom-domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-lb-with-azure-app-delivery-suite%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-routing-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2654925%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Front%20Door%20is%20a%20global%2C%20scalable%20entry-point%20that%20uses%20the%20Microsoft%20global%20edge%20network%20to%20create%20fast%2C%20secure%2C%20and%20widely%20scalable%20web%20applications.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20demonstrates%20detailed%20steps%20to%20setup%20Azure%20Front%20Door%20in%20front%20of%20Azure%20API%20Management%20and%20the%20steps%20to%20restrict%20APIM%20accept%20traffic%20only%20from%20Azure%20Front%20Door.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2654925%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20API%20management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Aug 17 2021 07:29 PM
Updated by: