Include Front Door ID in ARM template IPRestriction
In Azure Portal when setting up access restrictions on an Azure Web Application there is now functionality to use service tags and include certain headers that must be present to allow access. We have configured the following setup which restricts access to the web app to only come from our specific front door instance:
However when trying to reflect the same configuration in ARM I have not been able to get things working. There seems to be a distinct lack of examples of this or documentation and exporting template in azure portal does not include the front door ID header check. The following is what I came up with, but after successful deployment the access restriction is there but does not have the front door ID set up.
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2020-12-01",
"name": "[concat(variables('myApp'), '/web')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('myApp'))]"
],
"properties": {
"ipSecurityRestrictions": [
{
"ipAddress": "AzureFrontDoor.Backend",
"action": "Allow",
"tag": "ServiceTag",
"priority": 300,
"name": "Restrict-FrontDoor",
"headers": {"X-Azure-FDID": "[parameters('frontDoorID')]"}
}
]
}
}
Each header accepts an array of object, something likes that should work for you:
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2020-12-01",
"name": "[concat(variables('myApp'), '/web')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('myApp'))]"
],
"properties": {
"ipSecurityRestrictions": [
{
"ipAddress": "AzureFrontDoor.Backend",
"action": "Allow",
"tag": "ServiceTag",
"priority": 300,
"name": "Restrict-FrontDoor",
"headers": {
"x-azure-fdid": [
"[parameters('frontDoorID')]"
]
}
}
]
}
}
- Listing the Tables in the Storage Account using ADF Web Activity is failed with an authorization error
- Terraform with Azure Key Vault to get secret value
- No value provided for parameter `container_name` in the Get Metadata1 activity
- Pagination with oauth azure data factory
- Using Managed Identity to connect to a queue from a WebJob
- How to integrate GPT-4 model hosted on Azure with the gptstudio package?
- Azure - Virtual network Gateway vs VPN gateways
- Azure CLI won't login on MacOS
- Replicating Azure SQL DB and blob storage in multi region setup
- Reading Azure Entra ID Diagnostic Settings
- Azure Traffic Manager Endpoint: The following locations specified in the geoMapping property for endpoint are not supported
- Assign specific agent on Azure DevOps YAML Pipelines
- GetBlob request is failing, when PutBlob and ListBlob are successfull
- Scheduled alert rule created in Terraform doesn't work
- New NIC with public IP has no internet connection, while existing NIC works fine
- BlobClient#generateSasUrl automatically %-encode blob path
- How to do copy of all the containers without explicitly mentioning in the array between two different storage accounts
- Azure Application Gateway WAF with False Positive on SQL Injection
- Application ID URI Throwing Error in Azure AD App Registration using Terraform
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- installing an SSL on Azure ubuntu web server
- How do I add a Spring Initializr dependency (eg Microsoft Azure) after the project is created?
- NvidiaGpuDriverLinux fails to install on NC6 instance
- How to get client secret expiry date using the azure AD graph API
- Can't get OneNote data using graph api from microsoft
- Adding Custom Python library in Azure Synapse
- Cannot run .NET Core application on Linux in Azure App Services with linuxFxVersion: 'DOTNETCORE:8.0'
- Unable to connect from Azure data factory to postgres flexible server using private endpoint
- Microsoft graph return "access token is empty"
- How to use empty disk spaces under /dev/sdb1 on Azure?