Lock down the access of AppServices to only Azure Front Door

Question

I would like to restrict access to my AppServices and only traffic from Azure Front Door should be accepted. The MS documentation here explains that we should update IP restrictions and also manage 'X-Azure-FDID'. I want to focus only on IP restrictions on this question. Then i found some useful articles like wintellect and henrihietala which propose incredible powershell command to do that. It seems to work but I just noticed that IP list contains more than 100 records ! It's huge don't you think ? See my screenshot Is it really needed to have so much IP to allow ? The code to retrieve a filtered list of the IPv4 and IPv6 IP addresses used by Front Door is

$addresses = ((Get-AzNetworkServiceTag -Location $location).Values | Where-Object ( { $_.Name -eq 'AzureFrontDoor.Backend' })).properties.AddressPrefixes

Because I know my Front door resource, is there any chance to reduce all these IP ??

Regards, Terry

Answer 1

In the Web App's Restriction, just add only one rule allowing the IPv4 CIDR "147.243.0.0/16" as shown in the image.

Then, only the traffic coming from the Azure Front Door will be allowed on your Web App. Access Azure FD