I'm trying to lock down access to my Azure Web App by following the instructions here - https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door.
The first step I did through the Azure Portal but I'm unsure as to where to do the second step (filter on the values for the incoming header 'X-Forwarded-Host'). Is it through the portal? or through Host Filtering in the app itself? or through a WAF?
Since March 2020, Azure Frontdoor sends a X-Azure-FDID header with a unique value of your Frontdoor instance.
I wrote a detailed blog post about how to utilize that in restricting access to your web app: https://henrihietala.fi/limit-access-to-your-azure-web-app-from-your-azure-front-door-only/