Share via

Direct outbound webapp traffic through Azure Front Door w/o a vNet.

Matthew Barrett 116 Reputation points
2023-11-15T16:27:46.49+00:00

I have a standalone webapp behind an Azure Front Door (AFD). The web app can bypass the AFD and connect with Internet services. I want to force all outbound traffic through the AFD instead.

This is a simple setup and I do not want to add a virtual network and a bunch of other services to perform one simple task.

Is there a simple way to create a default gateway for the webapp?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
634 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
851 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee
    2023-11-15T17:15:28.37+00:00

    @Matthew Barrett

    Thank you for reaching out.

    I understand you wish restrict the access of your web-app to Azure Front Door and send all the outbound traffic using Azure Front Door.

    I think you can achieve this using Front Door identifier and App Service access restrictions.

    Azure generates a unique identifier for each Front Door profile. You can find the identifier in the Azure portal, by looking for the Front Door ID value in the Overview page of your profile.

    When Front Door makes a request to your origin, it adds the X-Azure-FDID request header. Your origin should inspect the header on incoming requests, and reject requests where the value doesn't match your Front Door profile's identifier.

    In you web app you can set access restriction in the following manner using AzureFrontDoor.Backend service tag and X-Azure-FDID so that the web can be accessed only using your Azure Front Door profile as shown below.

    User's image

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Dan Rios 1,815 Reputation points MVP
    2023-11-15T17:22:48.13+00:00

    Hi Matthew,

    If you go into your Web app > networking > access restrictions > add an 'allow' rule, selecting service tag as the type, with a service tag for Azure Front Door. In the X-Azure-FDID you can then specify your Front Door instance so it is locked down to your instance only. See here: https://learn.microsoft.com/en-gb/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance

    Screenshot of the 'Access Restrictions' page in the Azure portal, showing how to add Azure Front Door restriction.

    Then make sure you set the unmatched rule option to 'deny' ion your main site access restrictions, so you can no longer browse directly to the web app. Instead this will allow only your front door traffic to the web app.

    If this helped you please mark the answer as accepted!

  3. Matthew Barrett 116 Reputation points
    2023-11-15T22:53:00.0766667+00:00

    I was hoping to be able to minimize the setup and costs by having the webapp on its own. However, it does not appear possible to direct the outbound traffic without the use of a vNetwork, Security Groups, & a Default Gateway setting.

    Thank you everyone for your input.

    0 comments