Microsoft Azure
Published in

Microsoft Azure

Permit access from Azure Front Door to Azure App Service only as simply as possible

[As of December 18, 2020]

The original post is here.

Japanese edition is here.

Some customer asked me about the following topic.

“We use App Service for hosting applications and Azure Front Door as global L7 load balancer. We would like to permit access only from Azure Front Door to Azure App Service as simply as possible. Could you please share good solution with us?”

By default, each App Service has a public IP address and is accessible via FQDN from across the globe. If you simply deploy App Service(s) behind Azure Front Door, everyone can access App Service directly without using Azure Front Door. Therefore, we have to configure permit only access from Azure Front Door at App Service. If you were me, what do you think is a good solution?

What is Azure Front Door?

If you are not familiar with Azure Front Door, please read the following document.

Access restrictions in App Service

The following document covers the topic I would like to know, but description is so simple that it would be hard to understand how to restrict access.

Solution

I would like to walk through how to configure access restriction from other than Azure Front Door to App Service. If you can access Azure environment, I recommend doing it by yourself. In this article, I use quick start tutorial for Azure Front Door.

Note that …

  • We can choose several options to configure Azure Front Door — Azure Portal, CLI, PowerShell, and ARM template. In this article, I use Azure Portal to configure access restriction.
  • Even if we don’t create two App Service instances, we can test access restriction. You may follow the quick start tutorial dutifully, of course. 😀

Create App Service instances

Following the tutorial, we can create simple App Service instances as backend. Nothing special configuration is required. At this point, you should be able to access the instances via FQDN.

Configure Front Front Door

Following the tutorial, you can configure Azure Front Door. Note that we have to specify “App Service” when choosing “Backend host type”.

After specifying backend host type, we should see the following image.

When all configuration is ready, click “Create” and wait a minute. When Azure Front Door is ready, we can test if access via Azure Front Door is available.

At this point, we can still access App Service instances directly via FQDN since we have not configured access restrictions yet.

Configure access restriction for App Service instances

We open App Service instances created in the previous step in Azure Portal. And, we select “Settings” > “Networking” > “Access Restrictions” > “Configure Access Restrictions”.

Clicking “Add rule”, some screen appears from righthand where we create access restriction rule.

We can specify some attributes as we like , e.g. name, priority, and description. And then, this the most important thing in this article! We have to choose “Service Tag (preview)” among several options of “type”. When choosing “Service Tag (preview)”, we can choose a service tag among options. In this case, we have to pick up “AzureFrontDoor.Backend” among them, and click “Add rule”.

If you create two App Service instances, you have to repeat to do these steps to the other instance.

That’s it. It’s simple, isn’t it?

Give it a try!

First of all, we test access via Azure Front Door. This access is permitted and we can see the following image.

How about direct access to App Service? This access is restricted and HTTP 403 returns.

Conclusion

In this article, I describe a simple way of access restrictions when using Azure Front Door and App Service.

If you would like to lock down the access to backend from specified Azure Front Door only, you have to follow the following passages to lock down.

As both documents above say, we can use Front Door ID to restrict access from the only specified Front Door instance. If the ID is set to “HTTP headers filter setting”, any requests containing other Front Door IDs than the specified ID are blocked.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akihiro Nishikawa

Akihiro Nishikawa

53 Followers

Cloud Solution Architect @ Microsoft. Passionate about Java (JVM/GraalVM) and open source technologies. All views are my own.