Azure app service should allow only from Azure front door

Anshul Jain 1 Reputation point
2020-04-11T08:01:27.513+00:00

How to restrict the access of Azure app service from public users. I don't want to use any VNET peering and all it cost me a lot .. i want simple and using PAAS service.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
614 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,179 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. AndyB-UK 106 Reputation points
    2020-04-11T08:53:08.73+00:00

    Hi

    You can use the Access Restrictions under the networking blade of your app service. You can add the IP addresses for Front Door in there and you do not need to use any Vnets etc.

    the list of AFD IP Addresses are in the following ranges:-

    IPv4 - 147.243.0.0/16

    IPv6 - 2a01:111:2050::/44

    0 comments No comments

  2. SnehaAgrawal-MSFT 19,511 Reputation points
    2020-04-14T07:48:14.35+00:00

    @Anshul Jain To elaborate on above said Access restrictions enables you to define a priority ordered allow/deny list that controls network access to your app and the list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.

    You may refer to this doc might be helpful: https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules


  3. Ron T 11 Reputation points
    2020-11-23T19:17:18.3+00:00

    Right now the best solution I have came up with, if you are using it via the web.config/.htaccess.

    sample from a web.config. The below would redirect them to the correct site. So if you had site abc.com this would redirect them to that.
    (If looks like even Azure is recommending this
    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door
    )
    <system.webServer>
    <rewrite xdt:Transform="Insert">
    <rules>
    <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{HTTP_X_Azure_FDID}" pattern="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" negate="true" ignoreCase="true" />
    </conditions>
    <action type="Redirect" url="https://abc.com" />
    </rule>
    </rules>
    </rewrite>
    </system.webServer>

    htaccess (not tested but should be close) - from https://stackoverflow.com/questions/50865917/use-htaccess-to-only-allow-requests-if-a-header-with-a-specific-value-is-presen

    RewriteCond %{HTTP:X-Azure-FDID} !^xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx$ [NC]
    RewriteRule ^ - [F,L]

    0 comments No comments

  4. Leszek Pietrzak 6 Reputation points
    2020-12-17T13:38:15.557+00:00

    Hi,

    I need to restrict access to a URL on API (APP Services) to one external Ip address. App service instance uses VNET.
    How to get real / external IP address in application (Net Core 3.1 in linux docker container) or where to go to set up this "firewall" rule?
    https://myservice.azurewebsites.com/api/restrictedurl/*

    Cheers