Hi - Thanks for the question
CORS is about cross origin management (http and requests to different domains)
In this context you can consider a few things
But there's two things you should always ensure.
(1) End to end transport security - each hop is over TLS etc
(2) Strong auth - either cert or oauth2
Options
(1) Use the outbound Ips of the frontend App and access restrictions on the backend API (this is only necessary when the apps are not on the same plan or where the plans are not showing the same outbound Ips (meaning they're on the same webspace/stamp)
However the problem with this is that you are "allow listing" not only your traffic but also other users of the same webspace/stamp.
One alternative is to host single tenant (App Service Environment v3) but this is expensivre
Another is to VNET integrate the web app to a subnet in a VNET and use a AZ NAT Gateway
(but again this adds cost)
(2) VNET Integrate the front end to a VNET subnet (again, this is for outbound calls ) and have both API and DB answer on a private endpoint - you would need to disable public access for both - if using Az PaaS this is via the software firewall (Web App = Access restrictions, SQL DB PaaS for example also has a software firewall)
There is a small cost associated with Private endpoints
(3)
A variation on the above is to VNET integrate the front end but use "Service Endpoints" on that subnet locking the public endpoint for both API and DB to the front ends VNET Subnet on the public endpoint of each
This avoids the small private endpoint charge but in theory you still address on a public IP for the API and DB both - it's just that they wont accept traffic from anywhere but your front end as controlled by the software firewall for each
I can provide you some doc links - so let us know if you have further queries on any of the above by using the comments