none
How to lock down access to Azure Web App to only allow Azure front door access RRS feed

  • Question

  • The document https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq doesn't indicate "where" I go to achieve this.

    I'm not using a VNET.

    I'm assuming "backend" = "app service"

    I don't see anywhere where the steps in the above document can be performed.

    Thursday, August 8, 2019 12:47 PM

Answers

  • I don't have any sample web.config where you can filter traffic based on HTTP request. 

    You can work with the developer of your Application to make use of HTTP request object and allow or deny traffic based on "X-Forwarded-Host". 

    Regards, 

    Msrini

    Wednesday, August 14, 2019 11:11 AM
    Moderator

All replies

  • Hi Albert, 

    Since you are using Web App, you will not be able to use NSG to block/ allow IPs of the Front Door. Moreover, there are  list of IPs that Front door uses to reach resources which you can use to allow and block the rest but So NSG option is eliminated as it can be assigned to either NIC or a subnet. 

    You need to deal it within the Web App to check each request which has the X-Forwarded for header as that of AFD and allow those and block the rest of the request.

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Thursday, August 8, 2019 1:09 PM
    Moderator
  • Yes, but where do I set this ? What resource/page in Azure Portal ?
    Thursday, August 8, 2019 3:36 PM
  • In your Web App (Web.config). There are no feature as such to configure it directly with Web App. You need to write your own logic to accept the traffic based on the X-forwarded for headers. 

    Regards, 

    Msrini

    Thursday, August 8, 2019 4:54 PM
    Moderator
  • Would you mind giving me an exampled of this code?

    Also, seems like an incomplete implementation of "front door" if they don't also provide a means to shut the back door.

    Thursday, August 8, 2019 5:26 PM
  • Would you mind giving me an exampled of this code?
    Monday, August 12, 2019 12:11 PM
  • Hi, 

    Azure Forntdoor FAQ has this :

    How do I lock down the access to my backend to only Azure Front Door?

    To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the set of accepted values for the header 'X-Forwarded-Host' sent by Azure Front Door. These steps are detailed out as below:

    • Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only. We are working towards integrating with Azure IP Ranges and Service Tags but for now you can refer the IP ranges as below:

      • Front Door's IPv4 backend IP space: 147.243.0.0/16
      • Front Door's IPv6 backend IP space: 2a01:111:2050::/44
      • Azure's basic infrastructure services through virtualized host IP addresses: 168.63.129.16 and 169.254.169.254

    To implement this, navigate to your Web App IP filtering and enter the IP address range which is specified in the above steps. By doing this Web App will only allow traffic from those IP which is Azure AFD's POP server's IP. 

    If any traffic which comes other than this, will get blocked. Once this is done, you need to write your application code where you can use the HTTP request object and filter with a specific header and check if it is coming from Azure AFD. 

    This second step is optional but by adding the IP filtering you can lock down the traffic to AFD. 

    Regards, 

    Msrini 

    Monday, August 12, 2019 12:46 PM
    Moderator
  • So we've gone full circle from my original post...

    "The document https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq doesn't indicate "where" I go to achieve this."

    The reply (eventually) was: "In your Web App (Web.config)."

    B ut I can 't find any example code of what I would need to do in my web.config.

    That's why I'm asking for example code.

    Monday, August 12, 2019 4:57 PM
  • I'm not using a virtual machine.
    Monday, August 12, 2019 5:05 PM
  • Hi Albert, 

    I don't have a sample code as of now. I can check and get back to you. But you can use Access Restriction option in your Web App to only allow AFD IPs. 

    See below screenshot:

    Click on Access restriction and add AFD IPs and block rest IPs. 

    Regards, 

    Msrini

    Monday, August 12, 2019 5:12 PM
    Moderator
  • Great ! Thanks !

    And what about the second part regarding "X-Forwarded-Host"?

    Is that managed in web.config or else where ?

    I can't find any example web.config code.

    Wednesday, August 14, 2019 10:44 AM
  • I don't have any sample web.config where you can filter traffic based on HTTP request. 

    You can work with the developer of your Application to make use of HTTP request object and allow or deny traffic based on "X-Forwarded-Host". 

    Regards, 

    Msrini

    Wednesday, August 14, 2019 11:11 AM
    Moderator