Azure App Service on Linux (PHP) with Azure Front Door - access control configuration

If you need to use Azure App Service on Linux with PHP code (like WordPress) behind Azure Front Door, which you should, then you need to secure communication between Azure Front Door and Azure App Service Web App. If you don't want to or you cannot use custom Docker container, you are pinned to built-in PHP container in App Service on Linux.

In this configuration there is Apache Web Server (httpd) used to serve your app. If you scale out, you have as many Apache Web Servers as many instances in App Service Plan you had configured. At the front you have a load balancer. App Service Instances are NATed. App Services have inbound and outbound IP address pools and DNS name and domain. Azure Front Door is not integrating into App Service - it is totally separated from it.
But you are running Azure Front Door, because it is cool, and you are pointing to Azure App Service as a backend. And you want to service your website only through Azure Front Door, restricting the traffic.

It's easy. You just need to restrict the traffic to the Web App only to traffic originating from Azure Front Door backend addresses. The list of all public IP classess used by Azure services is public and you can find it here. All you need to do is to find AzureFrontDoor.Backend value on the list of objects, create a JSON definition of ipSecurityRestrictions setting of your Web App. Don't forget to add Azure's basic infrastructure services (through virtualized host IP addresses: 168.63.129.16 and 169.254.169.254) and IPv6 address range, currently limited to 2a01:111:2050::/44.

But what if someone runs it's own Azure Front Door and try to route to your Web App? It will work. You can configured it to work. What you want to do is to restrict the access only to YOUR Azure Front Door instance. It's also easy and documented. All you need is to filter request headers for X-Azure-FDID header value and pass only those requests that match your Front Door ID. For PHP running on built-in App Service on Linux image, you can do it at the Apache Web Server layer. You need to create .htaccess file in your application's repository (in the wwwroot directory) and add Apache2 Web Server directive to restrict access only to requests with X-Azure-FDID header pointing to your Azure Front Door instance:

For other stacks you need to pick proper options - i.e. for Python image you can do it in your app's code or try to do it at Gunicorn layer.

But how to determine Azure Front Door instance ID? It's also easy. What you need to do is to send a GET request to Azure Resource Manager API (version 2020-01-01) for your Azure Front Door instance (by name). In the response you will find a "frontdoorId" property.

comments powered by Disqus