How to configure Web Apps such that they cannot be accessed directly?

0
votes

In essence, only allow requests/responses to/from Azure Front Door.  There are different options, however, I'm having trouble finding details on implementation and best practices. I think the proper solution would be to create a Virtual Network to use to integrate the two services.

One nuance exists, the Web Apps have staging slots that may require a different solution since they use Azure Active Directory to prevent public access to pre-production.

I found a little more insight here, but still found it a bit confusing.

It seems that if I have a custom domain with subdomains with Front Door, there should be an easy way to prevent direct access to the backend addresses of the Web Apps and only allow through the custom DNS and Front Door.

This was helpful, however, I'm still getting 403 from the Front Door, so I must be missing something in how to configure.

Middleware? This also was helpful, but seems to indicate it can only be accomplished by middleware and I'm running Node/Express not .NET Core. Is it true, it can only be accomplished through middleware code?

This also mentions the same details.

What is missing? How to configuration this across different application stacks.

2
azure-web-app-serviceazure-front-door
I tested again this morning and it appears that just the Network Access Restriction blocks for IPv4 and IPv6 are needed? Would be great to confirm? I'd love not to need a middleware solution.A. Wentzel
I've also requested clarity on Also, asked github.com/MicrosoftDocs/azure-docs/issues/36141A. Wentzel

2 Answers

1
votes

The documentation is inaccurate when it states < To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:

It requires either setting up IP ACLs for your backend or implementing middleware code to conditionally match on your specific header value for 'X-Azure-FDID'. Both may not be required, the documentation is unclear.

Screen shot of IP restrictions that work

1
votes

I think you DO need both IP ACLs and checking the 'X-Azure-FDID' header. (I wish it was not needed...). If you only use IP restriction, your back-end is still open for all Front Doors around the globe, also those of other Azure Customers. And if you use only the check on the 'X-Azure-FDID' header, you are open for attackers trying to guess the header with brute force. Only the combination of IP ACL and checking the header will protect your back-end, because then you can be sure that the 'X-Azure-FDID' header was indeed added by a real Front Door service, and not spoofed.

See also this post, where it's explained clearly.