Permit access from Azure Front Door to Azure App Service only as simply as possible
[As of December 18, 2020]
The original post is here.
Permit access only from Azure Front Door to Azure App Service as simply as possible
As of December 18, 2020] Some customer asked me about the following topic. "We use App Service for hosting applications…
Japanese edition is here.
Azure Front Door + App Serviceの組み合わせで、Azure Front DoorからApp Serviceへのアクセスだけを許可したい
このエントリは2020/12/15現在の情報に基づいています。将来の機能追加や変更に伴い、記載内容との乖離が発生する可能性があります。 タイトルの通りで、Azure Front DoorのバックエンドとしてApp…
Some customer asked me about the following topic.
“We use App Service for hosting applications and Azure Front Door as global L7 load balancer. We would like to permit access only from Azure Front Door to Azure App Service as simply as possible. Could you please share good solution with us?”
By default, each App Service has a public IP address and is accessible via FQDN from across the globe. If you simply deploy App Service(s) behind Azure Front Door, everyone can access App Service directly without using Azure Front Door. Therefore, we have to configure permit only access from Azure Front Door at App Service. If you were me, what do you think is a good solution?
What is Azure Front Door?
If you are not familiar with Azure Front Door, please read the following document.
Azure Front Door
Important This documentation is for Azure Front Door. Looking for information on Azure Front Door Standard/Premium…
Access restrictions in App Service
The following document covers the topic I would like to know, but description is so simple that it would be hard to understand how to restrict access.
Networking features - Azure App Service
You can deploy applications in Azure App Service in multiple ways. By default, apps hosted in App Service are…
I would like to walk through how to configure access restriction from other than Azure Front Door to App Service. If you can access Azure environment, I recommend doing it by yourself. In this article, I use quick start tutorial for Azure Front Door.
Quickstart: Set up high availability with Azure Front Door Service - Azure portal
Get started with Azure Front Door by using the Azure portal to set up high availability for a web application. In this…
Quickstart: Set up high availability with Azure Front Door - Azure PowerShell
Get started with Azure Front Door by using Azure PowerShell to create a highly available and high-performance global…
Quickstart: Set up high availability with Azure Front Door - Azure CLI
Get started with Azure Front Door by using Azure CLI to create a highly available and high-performance global web…
Quickstart: Create an Azure Front Door Service by using an Azure Resource Manager template (ARM…
This quickstart describes how to use an Azure Resource Manager template (ARM Template) to create a Front Door to set up…
Note that …
- We can choose several options to configure Azure Front Door — Azure Portal, CLI, PowerShell, and ARM template. In this article, I use Azure Portal to configure access restriction.
- Even if we don’t create two App Service instances, we can test access restriction. You may follow the quick start tutorial dutifully, of course. 😀
Create App Service instances
Following the tutorial, we can create simple App Service instances as backend. Nothing special configuration is required. At this point, you should be able to access the instances via FQDN.
Configure Front Front Door
Following the tutorial, you can configure Azure Front Door. Note that we have to specify “App Service” when choosing “Backend host type”.
After specifying backend host type, we should see the following image.
When all configuration is ready, click “Create” and wait a minute. When Azure Front Door is ready, we can test if access via Azure Front Door is available.
At this point, we can still access App Service instances directly via FQDN since we have not configured access restrictions yet.
Configure access restriction for App Service instances
We open App Service instances created in the previous step in Azure Portal. And, we select “Settings” > “Networking” > “Access Restrictions” > “Configure Access Restrictions”.
Clicking “Add rule”, some screen appears from righthand where we create access restriction rule.
We can specify some attributes as we like , e.g. name, priority, and description. And then, this the most important thing in this article! We have to choose “Service Tag (preview)” among several options of “type”. When choosing “Service Tag (preview)”, we can choose a service tag among options. In this case, we have to pick up “AzureFrontDoor.Backend” among them, and click “Add rule”.
If you create two App Service instances, you have to repeat to do these steps to the other instance.
That’s it. It’s simple, isn’t it?
Give it a try!
First of all, we test access via Azure Front Door. This access is permitted and we can see the following image.
How about direct access to App Service? This access is restricted and HTTP 403 returns.
In this article, I describe a simple way of access restrictions when using Azure Front Door and App Service.
If you would like to lock down the access to backend from specified Azure Front Door only, you have to follow the following passages to lock down.
Azure Front Door - Frequently asked questions
This article answers common questions about Azure Front Door features and functionality. If you don't see the answer to…
Azure App Service access restrictions - Azure App Service
By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to…
As both documents above say, we can use Front Door ID to restrict access from the only specified Front Door instance. If the ID is set to “HTTP headers filter setting”, any requests containing other Front Door IDs than the specified ID are blocked.