@david.b Thanks for reaching out to us.
If I have understood your question, you are trying to place the App Service behind the “Frontdoor” and should enable the access to the App Service only from “Frontdoor” configured?
• If my understanding is right, then you could achieve the same using X-Azure-FDID which is the AFD ID unique for every AFD.
• Look for the Front Door ID value under the Overview section from Front Door portal page. You can then filter on the incoming header 'X-Azure-FDID' sent by Front Door to your backend with that value to ensure only your own specific Front Door instance is allowed.
• This could be achieved by “access restriction” option in the app service.
Access restriction advanced scenarios
The following sections describe some advanced scenarios using access restrictions.
Filter by http header
As part of any rule, you can add additional http header filters. The following http header names are supported:
• X-Forwarded-For
• X-Forwarded-Host
• X-Azure-FDID
• X-FD-HealthProbe
For each header name, you can add up to eight values separated by comma. The http header filters are evaluated after the rule itself and both conditions must be true for the rule to apply.
Hope this helps. :)