Share via

Azure Container Apps with External Accessibility level can be restricted access by Azure Front Door?

政雄 木下 25 Reputation points
2024-07-15T14:19:38.03+00:00

We have created an external environment for Azure Container Apps and have allowed one container to have external access in Ingress.

This container can be accessed from any IP on the Internet, so I am thinking of changing it so that it can only be accessed via Azure Front Door.

Azure Front Door Premium has a way to limit access to VNet by creating a Private Link, but the cost is 10 times higher than Standard, so we would like to do this with Standard.

So we are trying to see if we can limit it to Azure Front Door only by changing the NSG in the managed resource (MC_***) that is created when Azure Container Apps is created.

The default NSG allows access to Azure Container Apps for the "Internet" ServiceTag, but by changing this to the "AzureFrontDoor.Backbone" ServiceTag, we believe that access can be limited to access via AzureFrontDoor.

This seems like it would work, but is this a reasonable approach since it would directly change an administrative resource?

Is there any chance that the admin resource could be modified by the Azure platform and break the configuration?

nsg.png

I would like to find the valid way to restrict access only from Azure Front Door (Standard) for external environment for Azure Container Apps.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
691 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
442 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2024-07-16T03:21:00.4066667+00:00

    @政雄 木下

    I understand that you have an external environment for Azure Container App i.e. it is accessible using its Public IP address. In this scenario the by changing the NSG to allow traffic from AzureFrontDoor.Backend service tag will work if your app is deployed in consumption only environment. As documented here when using workload profiles, inbound NSG rules only apply for traffic going through your virtual network.IP address filtering alone isn't sufficient to secure traffic to your origin, because other Azure customers use the same IP addresses. You should also configure your origin to ensure that traffic has originated from your Front Door profile.

    Azure generates a unique identifier for each Front Door profile. You can find the identifier in the Azure portal, by looking for the Front Door ID value in the Overview page of your profile.

    When Front Door makes a request to your origin, it adds the X-Azure-FDID request header. Your origin should inspect the header on incoming requests, and reject requests where the value doesn't match your Front Door profile's identifier. More information can be found here

    I would recommend to test this scenario in non-prod environment first as the recommended solution in such scenarios as already highlighted by you is to upgrade AFD to premium SKU and use private link connection to secure the backend.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.