如何配置Web Apps,使其不能直接访问? [英] How to configure Web Apps such that they cannot be accessed directly?
问题描述
从本质上讲,仅允许对Azure前门的请求/响应.有多种选择,但是,我很难找到有关实施和最佳实践的详细信息.我认为正确的解决方案是创建一个虚拟网络以用于集成这两个服务.
In essence, only allow requests/responses to/from Azure Front Door. There are different options, however, I'm having trouble finding details on implementation and best practices. I think the proper solution would be to create a Virtual Network to use to integrate the two services.
存在一个细微差别,由于Web应用程序使用Azure Active Directory阻止公众访问预生产,因此它们具有暂存槽,可能需要不同的解决方案.
One nuance exists, the Web Apps have staging slots that may require a different solution since they use Azure Active Directory to prevent public access to pre-production.
I found a little more insight here, but still found it a bit confusing.
似乎,如果我有一个带有Front Door子域的自定义域,应该有一种简单的方法来防止直接访问Web应用程序的后端地址,而仅允许通过自定义DNS和Front Door.
It seems that if I have a custom domain with subdomains with Front Door, there should be an easy way to prevent direct access to the backend addresses of the Web Apps and only allow through the custom DNS and Front Door.
This was helpful, however, I'm still getting 403 from the Front Door, so I must be missing something in how to configure.
中间件?这也很有用,但是似乎表明它只能由中间件来完成,而我正在运行Node/Express,而不是.NET Core.是真的,它只能通过中间件代码来实现吗?
Middleware? This also was helpful, but seems to indicate it can only be accomplished by middleware and I'm running Node/Express not .NET Core. Is it true, it can only be accomplished through middleware code?
这也提到相同的细节.
缺少什么?如何在不同的应用程序堆栈之间进行配置.
What is missing? How to configuration this across different application stacks.
推荐答案
说明该文档不准确 <要锁定您的应用程序以仅接受来自特定前门的流量,您将需要为后端设置IP ACL,然后将后端的流量限制为由以下方式发送的标头"X-Azure-FDID"的特定值前门.这些步骤详细说明如下:
The documentation is inaccurate when it states < To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:
它需要为后端设置IP ACL或实施中间件代码以有条件地匹配您的"X-Azure-FDID"的特定标头值.两者都不是必需的.
It requires either setting up IP ACLs for your backend or implementing middleware code to conditionally match on your specific header value for 'X-Azure-FDID'. Both are not required.
这篇关于如何配置Web Apps,使其不能直接访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
