Kenny KawaharaThank you for reaching out.
I understand that you have Azure Storage static website added as a backend to Azure Front Door Standard and now you wish to restrict the static website to AzureFrontDoor.Backend service tag so that it can be only accessed using Azure Front Door.
I do not think currently it is possible to deploy such configuration.
- As you are using Standard AFD tier your storage account must be publicly accessible.
- Currently IP network rules on a Storage Account do not support service tags and only IPV4 IP ranges can be added. AzureFrontDoor.Backend service tag also consists of IPv6 IP addreses.
The recommended solution here will be to upgrade your Azure FrontDoor to Premium tier and access Azure Storage account by using Private Link. The storage account is configured to deny direct access from the internet, and to only allow requests through the private endpoint connection used by Front Door. This configuration ensures that every request gets processed by Front Door, and avoids exposing the contents of your storage account directly to the internet. You can follow the tutorial here to configure Azure Front Door Premium to a storage static website with Private Link.
As documented here alternate solution here will be to use a shared access signature to secure requests to the storage account, and either have the client include the signature on all of their requests, or use the Front Door rules engine to attach it from Front Door.
Hope this helps! Please let me know if you have any question here or need any additional help.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.