Exam SC-100 topic 3 question 13 discussion

Answer correct. You need to recommend a solution to ensure that the web apps only allow access through the Front Door (INSTANCE) this is important! Restrict access to a specific Azure Front Door instance with X-Azure-FDID header restriction

Service Tags

Yes, it meets the goal. Recommending access restrictions that allow traffic from the Azure Front Door service tags ensures that only traffic coming from the Front Door instance is allowed to access your Azure App Service web apps. This effectively secures the web apps by limiting access to traffic that has been routed and potentially inspected by Azure Front Door, minimizing the risk of direct malicious attacks.

the correct answer is: A. Yes

Service Tags with X-Azure-FDID header restriction

https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=powershell#restrict-access-to-a-specific-azure-front-door-instance:~:text=Restrict%20access%20to%20a%20specific,that%20Azure%20Front%20Door%20sends.

Yes, allowing traffic only from the Azure Front Door service tag as an access restriction ensures that a Web App only allows access through a Front Door instance. This is because Front Door's features work best when traffic only flows through Front Door.

Agree with those making the distinction of the question specifying the 'instance'. Service tags is not enough without validation of the X-Azure-FDID header to lock access to the specific instance. Voting to help sway the confusion in the right direction.

B is the correct choice

To securely restrict access to Azure App Service web apps through Azure Front Door, a more robust approach is required: 1. Service Tag-Based Access Restrictions 2. Custom Headers

By configuring access restrictions to allow traffic from the Front Door service tags, you can effectively restrict access to the web apps only from the Front Door instance. This approach provides a reliable and scalable solution since the Front Door service tags automatically adapt to any changes in IP ranges associated with the Front Door service.

Restrict access to a specific Azure Front Door instance Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal

https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?pivots=front-door-standard-premium&tabs=app-service-functions#public-ip-address-based-origins

Same as Question 14. https://www.examtopics.com/discussions/microsoft/view/79383-exam-sc-100-topic-4-question-14-discussion

B is the answer. https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions#restrict-access-to-a-specific-azure-front-door-instance Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.

I would select B, since it states allow connection from the Front Door instance (specific?).

ChatGTP: A. Yes Restricting access to Azure App Service web apps to only allow traffic from the Front Door instance is a good security practice to ensure that the web apps are only accessible through the Front Door instance. One way to achieve this is by using access restrictions that allow traffic from the Front Door service tags. Azure Front Door service tags represent the IP addresses of the Front Door edge nodes, which can be used to restrict access to the web apps. By configuring access restrictions that only allow traffic from the Front Door service tags, you can ensure that the web apps are only accessible through the Front Door instance. Therefore, the recommended solution to ensure that the web apps only allow access through the Front Door instance by using access restrictions that allow traffic from the Front Door service tags meets the goal.