question

HapaHacks avatar image
0 Votes"
HapaHacks asked kapilananth-MSFT answered

How can Azure Front Door health probe authenicate against a secure endpoint?

I currently have an ASP.NET Core endpoint that verifies the health of my app but requires an API key. I would like to configure the AFD health probe to use this endpoint but because the endpoint requires authentication, the probe seems to not be working as intended and our origin health is determined to be 0%. Would it be a good practice to send an API key with the health probe requests or should I use a different authentication scheme for my endpoint?

dotnet-aspnet-core-webapiazure-front-door
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HapaHacks,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand more about using authentication methods with Azure Front Door.

We can configure the protocol for Health probes.
So, configuring this as HTTPS would prevent the key from being exposed to internet or any third parties.

Or, you can have two API keys in your application, one for actual traffic and one for only health monitoring.
This way, even if the API key used for health probe monitoring gets exposed, there should not be any issues to the actual application.

However, AFD does not provide a mechanism to add any authentication methods for Health probes.
I believe you are planning on adding the API Key as parameters to the URL/Path. Correct me if I am wrong.

  • May I know if you got a chance to add the API Keys to the health probe URL?

  • Was the endPoint up after using the API Key?

P.S : You can also configure the endPoint to respond to AFD health probes IP Addresses without the need for an API Key, but require API from general internet(other IPs).

243733-image.png


https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-


Cheers,
Kapil.


0 Votes 0 ·
image.png (203.2 KiB)

Hi Kapil. It seems like our approach to use API keys with front door health probe will not work because I tried adding a parameter to the AFD Health probe path inside of the Azure Portal but I get a validation error. See the image I attached.

Ideally I wanted my healthcheck endpoint to be secure and require some sort of authentication. However it seems like the AFD health probe has no way of authenticating so the only path forward I see is removing the required authentication middleware on my endpoint. I am a bit disappointed because the docs say that securing your monitoring endpoints is a best practice (See health-endpoint-monitoring) Can you think of any solutions or workarounds that would let me use front door and a secure healthcheck endpoint?

246486-update-origin-group.png


0 Votes 0 ·

Hi @HapaHacks,

Thanks for your detailed explanation.

The document you have shared references to general cloud design pattern.

For an AFD health probe, please refer : AFD Health probes
AFD health probes do not have any authentication method.

Unfortunately, I am not aware of any work around for request authentication.

However, you can secure your monitoring endPoint by using network rules in your Application.
- Health Probes only originate from a set of IP addresses from Azure.
- They are listed under AzureFrontDoor.Frontend service tag
- Refer : How do I lock down the access to my backend to only Azure Front Door?


  • 246489-image.png

  • The challenge here is that these IPs may change, and you will be required to manually update the IPs from the tag in your application


Service Tags:

Please let us know if you require additional information on this.


Cheers,
Kapil


0 Votes 0 ·
image.png (51.9 KiB)

1 Answer

kapilananth-MSFT avatar image
0 Votes"
kapilananth-MSFT answered

Hi @HapaHacks,


Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand more about using authentication methods with Azure Front Door.


For an AFD health probe, please refer : AFD Health probes
AFD health probes do not have any authentication method.


Unfortunately, I am not aware of any work around for request authentication.


However, you can secure your monitoring endPoint by using network rules in your Application.
- Health Probes only originate from a set of IP addresses from Azure.
- They are listed under AzureFrontDoor.Frontend service tag
- Refer : How do I lock down the access to my backend to only Azure Front Door?


The challenge here is that these IPs may change, and you will be required to manually update the IPs from the tag in your application


Service Tags:

Please let us know if you require additional information on this.


Cheers,
Kapil


Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.











5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.