![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 55.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECV%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
587 questions
Hello @Chittybabu V ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand you have a basic On-Premise Web service behind Azure Front Door and you would like to whitelist only the Front Door traffic in the firewall but don't want to go with the list of dynamic MS IP ranges which may change later. You also found the Anycast IP address range 147.243.0.0/16 which is working for you but would like to be 100% sure before whitelisting this range on the Production environment.
You also mentioned that there is no feasibility at this moment for other options like Front Door header checking, Web service rule filtering, NSG tag etc.
However, to lock down your application to accept traffic only from your specific Front Door, you can use one of the following ways:
- You can set up IP ACLs for your backend
- Restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door.
Look for the Front Door ID value under the Overview section from Front Door portal page. You can then filter on the incoming header 'X-Azure-FDID' sent by Front Door to your backend with that value to ensure only your own specific Front Door instance is allowed (because the IP ranges are shared with other Front Door instances of other customers). Apply rule filtering in your backend web server to restrict traffic based on the resulting 'X-Azure-FDID' header value (Examples are provided on how to apply the rule filtering with 'X-Azure-FDID' header value).
Now, coming back to your question,
Are we good to whitelist only this bigger subnet range 147.243.0.0/16 and it's guaranteed that there won't be any issues or change in the future?
I discussed this with the Azure Front Door Product Group team and below is their response:
There is no 100% guarantee that the IP range will not change in the future. You would run the risk of blocking good traffic if you decide to only whitelist 147.243.0.0/16.
NOTE : Static IP for Azure Front Door is in the roadmap but is a stretch goal (not in the near future).
You can also refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
Since your Web service is deployed on-premise, you can use service tag discovery API to programmatically retrieve the current list of service tags together with IP address range details.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#service-tags-on-premises
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.