Greetings! Today, I want to delve into a critical web app access security topic. Specifically, I will discuss using Azure services such as Azure Front Door, Azure Private Endpoint, and Azure Web App Access Restrictions to ensure your web app is well-protected against malicious attacks and unauthorized access. With the growing number of cybersecurity threats out there, it is crucial for any organization that has deployed web apps to take all necessary measures to safeguard their applications and the data they contain. By implementing the Azure above services, you can rest assured that your web app will be secure and your users can access it without any issues. So, without further ado, let’s dive into how to use these Azure services to enhance your web app security!
Please refer to the links to learn more about Azure’s front door, Azure web app, and Azure private endpoint.
To simplify the process, I have utilized the Azure Web app and Azure Front Door to facilitate comprehension. Additionally, I have activated the Private endpoint for the Azure Web app and enforced access restrictions. While I will not delve into the specifics of creating these resources, Microsoft offers helpful articles for guidance. I’m not a developer but I made a simple web app using an HTML static page.
Private Endpoint and Azure Web App
When you choose to host your applications on the Azure Web app, we leverage a private endpoint for accessing other applications and services hosted within the Azure virtual network. This private endpoint is crucial in directing traffic from web apps to VNET-based resources through the Azure backbone rather than a public endpoint. You must utilize a private endpoint to connect the network IP address from VNET to your Azure web apps.
An IP address will be designated from your Azure virtual network address space using the private endpoint. This facilitates secure network communication between a client on your private network and the app, as all traffic travels through the virtual network and a Private Link on the Microsoft backbone network, effectively eliminating any vulnerability from the public Internet. Use a network security group to restrict access with a private endpoint.
The below picture shows the private endpoint connected to the Azure Web app with VNET and has a private IP address from VNET.
Access Front Door with the Azure web App
Suppose you seek a state-of-the-art cloud Content Delivery Network (CDN) that can provide your audience with speedy, dependable, and protected access to your online content across the globe. In that case, Azure Front Door is the ideal choice. This Microsoft service will assist you in developing superior web applications, and we strongly endorse it. I have created an Azure Front door with a backend as the Azure web app service. The below picture will show the Azure Front Door with Web app service.
Access Restrictions for Azure Web App Service
Within the App Service, access restrictions function similarly to a firewall, allowing you to block or filter traffic effectively. It’s worth noting that these restrictions solely apply to inbound traffic and not outbound traffic. It’s important to remember that access restrictions do not apply to traffic entering through a private endpoint. By default, the entry point for all apps hosted on App Service is publicly accessible, except apps hosted within the ILB App Service Environment. In this case, the virtual network’s default entry point is internal.
App Service carefully examines incoming traffic to determine its origin from a private or default endpoint. Private endpoints are granted unrestricted access to the site, but only after undergoing scrutiny by our network security groups, which are responsible for enforcing specific limitations.
I have created two rules under the access restriction on the Web app. One rule is allowing the Azure Front Door Backend with a service tag to access the web app. Another new rule has denied the traffic with IP address 0.0.0.0 (ANY). Please refer to the below picture for rules.
As we have enabled the access direction, the inbound to the web app is enabled only with Azure Front Door service.
You will receive an error message if you try to access the web app directly from a web browser due to access restrictions blocked by the deny rule for IP address 0.0.0.0.
Now, we can access the web app through the Front Door instance since we have enabled access. For the lab purpose, I have not created a custom DNS for the URL.
To guarantee that traffic is only coming from your particular instance, it is necessary to apply additional filtering to incoming requests using the distinct http header known as X-Azure-FDID, which Azure Front Door sends. The Front Door ID can be located in the portal.
This is the end of the blog. Thank you for your time and for learning with me.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.