Azure front door probe ips for whitelisting in WebApp

Question

We are designing a multi-location deployment within Azure that requires users to be sent to their closest origin. At the moment we are using a traffic manager however that is causing us some issues with another layer in the client's infrastructure.

Another option we are investigating is Front Door however that introduces a new challenge - how can we prevent our origins from being publicly available?

For traffic manager, Microsoft publish a list of probe ip's which we can whitelist within our webapps: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-faqs#what-are-the-ip-addresses-from-which-the-health-checks-originate

Does front-door offer a similar thing? The ideal outcome would be a set of ip address (ala https://azuretrafficmanagerdata.blob.core.windows.net/probes/azure/probe-ip-ranges.json ) which we could import into our webapps firewalls.

Answer 1

You can lock down access to your origins by whitelisting the Anycast IP address ranges used by Azure FrontDoor Service:

IPv4 - 147.243.0.0/16

IPv6 - 2a01:111:2050::/44

Source: How do I lock down the access to my backend to only Azure Front Door Service?

Answer 2

Azure Front Door Service provides dynamic website acceleration (DSA) including global HTTP load balancing. Front Door Service is mixed of ADC and CDN networking. When do a health probe, the Front Door environments will send a probe, this DOC states that there are about 90 Front Door environments or POPs globally. It seems that the document could not describe which specific probe IP address are in the Front Door environments. You could look at this issue on Github.

Currently, the Front Door service is the public preview, it may take some time for release. Also, It's not recommended to use it in the production environment.

Answer 3

You can now use Azure Front Door service tags to manage the scenario of restricting traffic to your backend to AFD only. Overview of service tags :

A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change

Also available in the above doc are the service tags for AFD, to restrict access in the way described you can use the AzureFrontDoor.Backend service tag.

Assuming your backend can support it, you can also add a further filter which ensures the traffic hitting your backend not only comes from AFD's IP range but also that it's your AFD! See this doc :

...restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door

The ID of your AFD can be retrieved in the following ways:

Perform a GET operation on your Front Door with the API version 2020-01-01 or higher. In the API call, look for frontdoorID field. Filter on the incoming header 'X-Azure-FDID' sent by Front Door to your backend with the value as that of the field frontdoorID. You can also find Front Door ID value under the Overview section from Front Door portal page.