Share via

How to restrict Azure Container Apps ingress to Azure Front Door (Standard) only when Front Door IPs are dynamic?

Yash 0 Reputation points
2026-02-20T07:20:00.05+00:00

Hi,

I am using Azure Front Door (Standard) with Azure Container Apps deployed in a VNet-integrated environment.

My goal is to secure the Container App origin so that it accepts traffic ONLY from Azure Front Door and cannot be accessed directly via the public *.azurecontainerapps.io endpoint.

Currently:

  • Container App ingress is external.
  • Traffic is routed through Azure Front Door.
  • I am already validating the X-Azure-FDID header in my backend application to ensure requests originate from my Front Door instance.

However, I also want to restrict network access at the platform level.

The challenge is that Azure Front Door uses dynamic outbound IP addresses, so I am unsure how to safely configure ingress restrictions.

What is Microsoft’s recommended best-practice architecture for securing Azure Container Apps origins behind Azure Front Door (Standard tier) while handling Front Door’s dynamic IP ranges?

Thanks!

Azure Front Door
Azure Front Door

An Azure service that provides a cloud content delivery network with threat protection.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 4,475 Reputation points Microsoft External Staff Moderator
    2026-02-20T10:16:30.8733333+00:00

    Hi Yash,

    Thanks for reaching out in Microsoft Q&A forum,

    What is Microsoft’s recommended best-practice architecture for securing Azure Container Apps origins behind Azure Front Door (Standard tier) while handling Front Door’s dynamic IP ranges?

    Azure Front Door Standard tier with VNet-integrated Azure Container Apps requires a multi-layered approach to lock down origins effectively, given the dynamic outbound IPs from Front Door.

    • NSG restrictions via the AzureFrontDoor.Backend service tag on your Container Apps environment's infrastructure subnet, paired with X-Azure-FDID header validation in your app code.
    • This blocks direct public access to the *.azurecontainerapps.io endpoint while allowing Front Door traffic. Keep Container App ingress set to "External" but enforce denial at the network level no static IP lists needed, as the service tag dynamically covers Front Door's IPs.

    Step-by-Step Setup

    On the VNet subnet delegated to Microsoft.ContainerApps/infrastructure, add an NSG inbound rule: Source AzureFrontDoor.Backend, ports 80/443, priority 100, action Allow. Follow with a Deny All rule (priority 4000).

    • In your backend code, verify the X-Azure-FDID header matches your Front Door profile ID (from portal Overview) reject otherwise to stop spoofing.

    Disable insecure traffic in Container Apps ingress settings for added safety.

    For full private access without public exposure, migrate to Front Door Premium using Private Link to a Container Apps service endpoint requires manual approval but eliminates NSG reliance.

    Reference:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.