Azure Function App (Consumption) behind Azure Front Door returns 403 IP Forbidden for CORS preflight (OPTIONS) despite Front Door service tag access rules

Hi @Amoghavarsh Patil

Thank you for reaching out to Microsoft Q&A.

In order to resolve this:

1. Keep one allow rule for the origin
   • Allow: AzureFrontDoor.Backend (for the site, add scm only if you truly need to reach Kudu via AFD).
   • Bind to your specific Front Door: add HTTP header match x-azure-fdid = <your-Front-Door-ID>.
   • Remove AzureFrontDoor.Frontend on the origin (not needed for origin access).
   • Deny → All at the end.
2. Order matters
   • Ensure the allow rule (with AzureFrontDoor.Backend + x-azure-fdid) has a lower priority number (higher precedence) than any deny (i.e., it is evaluated first).
3. Confirm CORS
   • In the Function App CORS settings, list your exact frontend origin(s).
   • Avoid * when credentials are involved.
   • After changing CORS behavior, purge Front Door cache to prevent stale headers from being served.
   4**. Function App** → Networking → Access restrictions → Add rule
   • • Action: Allow
   • Priority: e.g., 200
   • Type: Service Tag → AzureFrontDoor.Backend
   • HTTP header: x-azure-fdid = <your-FDID> (Front Door profile → Overview → Front Door ID)
   • Ensure final rule is Deny All.
   • Function App → CORS: add https://<your-frontend-domain>; save.
   • Front Door → Purge endpoint cache.

It seems like you are experiencing issues with CORS preflight requests being blocked by your Azure Function App's access restrictions. Here are a few things to consider:

1. CORS Configuration: Ensure that your CORS settings in the Azure Function App are correctly configured to allow OPTIONS requests from the Azure Front Door. The allowed origins should include the domain from which the requests are originating.
2. Access Restrictions: Since you have configured access restrictions to allow traffic only from Azure Front Door, make sure that the Front Door service tag is correctly set up. You have mentioned allowing both AzureFrontDoor.Backend and AzureFrontDoor.Frontend, which is good. However, verify that these rules are correctly applied and that there are no conflicting rules that might deny the OPTIONS requests.
3. HTTP Header Inspection: Azure Front Door adds certain headers to the requests it forwards. Ensure that your Function App is set to accept these headers and that they are not causing the requests to be blocked.
4. Testing with Tools: You can use tools like Postman or curl to simulate the OPTIONS request and see the headers being sent. This can help you diagnose whether the requests are being modified or blocked at any point.
5. Logs and Monitoring: Check the logs for your Azure Function App to see if there are any specific error messages related to the blocked requests. This can provide more insight into why the 403 Forbidden error is occurring.

By reviewing these aspects, you should be able to pinpoint the cause of the 403 IP Forbidden error for your CORS preflight requests.

References:

• Set up Azure App Service access restrictions
• Secure traffic to Azure Front Door origins (front-door-standard-premium)