Protect web app
Hi there,
I'm deploying my App Service Web App behind Front Door.
On the web app I configured Public network access with the below role:
X-Azure-FDID value is the Front door id.
Whenever the customers query the Web App they get the error:
ERROR 403 - Forbidden.
The web app you have attempted to reach has blocked your access.
Important Note: I don't want to add a condition such as allowing Any to access.
What am I missing here?
Azure App Service
-
Rohith Vinnakota • 3,160 Reputation points • Microsoft External Staff
2025-03-04T20:55:49.1733333+00:00 Hi @JMN-2253,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I could understand that you would like to access the traffic from only Azure Front door and block rest all the traffic. From the screenshot that you have shared, I could see that you have done correct settings.
May I ask what is the issue causing here?
-
JMN-2253 • 616 Reputation points
2025-03-04T21:15:36.7333333+00:00 Hi Rohith,
The issue is whenever our customers query our App they get the below error:
ERROR 403 - Forbidden.
The web app you have attempted to reach has blocked your access. -
JMN-2253 • 616 Reputation points
2025-03-04T21:19:17.1033333+00:00 The issue is whenever our customers query (in other words: browse our web app) our web app they show the below error:
ERROR 403 - Forbidden.
The web app you have attempted to reach has blocked your access.So, what am I missing to cause this problem?
-
Teemu Kumpulainen • 5 Reputation points
2025-03-04T21:55:18.2833333+00:00 Hi!
I assume your customers are trying to access the web app via the front door URL, and not the Web App URL?
-
JMN-2253 • 616 Reputation points
2025-03-04T22:01:01.02+00:00 In my GoDaddy, I have CNAME Record like this:
CNAME www.mysite.com
Value similar to: www-pbhxxxx0e2ewdpbv.a03.azurefd.netAlso my txt record to validate my entry.
-
Laxman Reddy Revuri • 3,345 Reputation points • Microsoft External Staff
2025-03-05T06:45:33.5366667+00:00 Hi @JMN-2253,
The ERROR 403 - Forbidden issue when accessing your App Service Web App behind Azure Front Door, ensure that your web app is configured to accept requests only from Azure Front Door.- Ensure your web app checks the X-Azure-FDID header, which is added by Azure Front Door and contains the Front Door ID. If the header value does not match your Front Door ID, the web app will return a 403 Forbidden response. Verify the header is sent correctly and that your web app is set to accept it.
- Confirm that your web app's network access settings allow traffic from the Azure Front Door IP address ranges. Configure IP address filtering to accept requests only from the AzureFrontDoor. Backend service tag, which includes the IP addresses used by Azure Front Door.
references:
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/protect-api-hosted-apim-by-waf#restrict-apim-access-through-the-azure-front-door-only
https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?pivots=front-door-standard-premium&tabs=app-service-functions#public-ip-address-based-origins
-
JMN-2253 • 616 Reputation points
2025-03-05T14:20:35.3833333+00:00 It is very unprofessional to answer without seeing the original post!
You just wasted my time reading your response!
This form becomes full of copy-paste from articles, People who just trying to fill their time!!!! -
Laxman Reddy Revuri • 3,345 Reputation points • Microsoft External Staff
2025-03-06T05:10:16.9666667+00:00 Hi @JMN-2253,
My apologize for any inconvenience caused on this.
please consider incorporating the AzureFrontDoor.Backend service tag in your access restrictions. This approach will ensure that only Azure Front Door can access your App Service, irrespective of the header. Check Azure App Service logs to confirm if the incoming requests have the correct X-Azure-FDID.
A reference string that identifies the request came from a specific Front Door resource. The value can be seen in the Azure portal or retrieved using the management API. You can use this header in combination with IP ACLs to lock down your endpoint to only accept requests from a specific Front Door resource.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol#from-the-front-door-to-the-backend -
JMN-2253 • 616 Reputation points
2025-03-06T14:34:04.0866667+00:00 Hi @Laxman Reddy Revuri ,
In my first post "X-Azure-FDID value is the Front door id" and the screenshot shows AzureFrontDoor.Backend service tag in your access restrictions.
However, it is worth mentioning I had to add this entry, the front door didn't create it by default.
-
Pavan Pesala • 0 Reputation points • Microsoft External Staff
2025-03-14T10:41:31.63+00:00 Hi @JMN-2253,
If your App Service is expecting a specific hostname, it might be rejecting requests coming through Front Door. Make sure the backend hostname in Front Door matches what your App Service expects. If Front Door is terminating SSL and sending plain HTTP to the backend, your App Service might be blocking it. Ensure it's correctly handling the forwarded protocol.
Your App Service might also be enforcing authentication, which could be preventing requests from going through. If you have App Service Authentication enabled, check that it’s allowing traffic from Front Door. CORS settings could also be a problem—if your app is expecting requests from a specific origin, it might be blocking ones coming through Front Door.
Another thing to check is whether your App Service is integrated with a VNet or has firewall rules in place that are preventing traffic from Front Door. Even if you've allowed the Front Door service tag, there could be a misconfiguration. If your application itself has request validation, such as checking headers like
Referer
orUser-Agent
, it might be rejecting requests from Front Door. Try logging incoming requests at the app level to see what’s actually reaching it.Hope it helps!
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
-
JMN-2253 • 616 Reputation points
2025-03-15T20:23:31.1+00:00 @Pavan Pesala the app service has: VNET Integrstion + 2 private endpoints, 1 private endpoint to connect to SQL PaaS, and 2nd one to connect with AFD. The App Service Firewall allow traffic from AFD. Up till here I see no reason to get Error 403. Now, AFD has the certificate from the key vault, it is mapping to same certificate as the web app. The logs shows that AFD respond 200, but the 403 is coming from the web app. Does that rings any bell?
Sign in to comment