如何配置 Web 应用程序使其无法直接访问? [英] How to configure Web Apps such that they cannot be accessed directly?
问题描述
本质上,只允许来自/来自 Azure Front Door 的请求/响应.有不同的选择,但是,我无法找到有关实施和最佳实践的详细信息.我认为正确的解决方案是创建一个虚拟网络来集成这两种服务.
存在一个细微差别,Web 应用具有暂存槽,可能需要不同的解决方案,因为它们使用 Azure Active Directory 来防止公众访问预生产.
我发现了更多见解
In essence, only allow requests/responses to/from Azure Front Door. There are different options, however, I'm having trouble finding details on implementation and best practices. I think the proper solution would be to create a Virtual Network to use to integrate the two services.
One nuance exists, the Web Apps have staging slots that may require a different solution since they use Azure Active Directory to prevent public access to pre-production.
I found a little more insight here, but still found it a bit confusing.
It seems that if I have a custom domain with subdomains with Front Door, there should be an easy way to prevent direct access to the backend addresses of the Web Apps and only allow through the custom DNS and Front Door.
This was helpful, however, I'm still getting 403 from the Front Door, so I must be missing something in how to configure.
Middleware? This also was helpful, but seems to indicate it can only be accomplished by middleware and I'm running Node/Express not .NET Core. Is it true, it can only be accomplished through middleware code?
This also mentions the same details.
What is missing? How to configuration this across different application stacks.
The documentation is inaccurate when it states < To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:
It requires either setting up IP ACLs for your backend or implementing middleware code to conditionally match on your specific header value for 'X-Azure-FDID'. Both may not be required, the documentation is unclear.
这篇关于如何配置 Web 应用程序使其无法直接访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
