This article is contributed. See the original author and article here.

Some customer asked me about the following topic.


“We use App Service for hosting applications and Azure Front Door as global L7 load balancer. We would like to permit only accesses from Azure Front Door at Azure App Service as simply as possible. Could you please share good solution with us?”


By default, each App Service has a public IP address and is accessible via FQDN from the globe. If you simply deploy App Service behind Azure Front Door, everyone can access App Service directly. Therefore, we have to configure permit only access from Azure Front Door at App Service. If you were me, what do you think is a good solution? 


What is Azure Front Door?

If you are not familiar with Azure Front Door, please read the following document.


What is Azure Front Door?


Access restrictions in App Service

This topic is covered in the following document, but description is so simple that it would be hard to understand how to restrict access.


Access restrictions



I would like to walk through how to configure access restriction from other than Azure Front Door to App Service. If you can access Azure environment, I recommend following my instruction. In this article, I use quick start tutorial for Azure Front Door.


Quickstart: Create a Front Door for a highly available global web application


Note that …

  • We can choose several options to configure Azure Front Door – Azure Portal, CLI, PowerShell, and ARM template. In this article, I use Azure Portal to configure access restriction.

  • Even if we don’t create two App Service instances, we can test access restriction. You may follow the quick start tutorial dutifully, of course.:smile:


Create App Service instance

Following the tutorial, we can create simple App Service instances for backend service. Nothing special configuration is required. At this point, you should be able to access the instances via FQDN.

App Service 1.png



Configure Front Front Door

Following the tutorial, you can configure Azure Front Door. Note that we have to specify “App Service” when choosing “Backend host type”.

FrontDoor 1.png

After specifying backend host type, we should see the following image.

FrontDoor 2.png

When all configuration is ready, click “Create” and wait a minute. When Azure Front Door is ready, we can test if access via Azure Front Door is available.

FrontDoor 3.png


At this point, we can still access App Service instances directly via FQDN since we have not configured access restrictions yet.


Configure access restriction for App Service instances

We open App Service instances created in the previous step in Azure Portal. And, we select “Settings” > “Networking” > “Access Restrictions” > “Configure Access Restrictions”.

App Service 2.png


Clicking “Add rule”, some screen appears from righthand where we create access restriction rule. We can specify some attributes. Name, priority, and description as we like. And then, this is the most important thing in this article, we have to choose “Service Tag (preview)” among several options of “type”.

App Service 3.png

When choosing “Service Tag (preview)”, we can choose a service tag among options. In this case, we have to pick up “AzureFrontDoor.Backend” among them.

App Service 4.png

Clicking “Add rule”, that’s it. If you create two App Service instances, you have to repeat to do these steps to the other instance.


Git it a try!

First of all, we test access via Azure Front Door. This access is permitted and we can see the following image.

FrontDoor 4.png


How about access to App Service directly? This access is restricted and HTTP 403 returns. 

App Service 5.png



In this article, I describe a simple way of access restrictions when using Azure Front Door and App Service. Hope this helps.



Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: