thomasgauvin
commented
1 year ago Thanks for the suggestion. Yes, you can lock down the Front Door host with headers. On the backend side, there are 2 features you may be referring to:
-
Managed functions: These don't support virtual network integration. My recommendation for this is to use a standalone Azure Function, attach is as a linked backend to the Static Web App, and integrate that resource. By linking this as a backend to Azure Static Web Apps, the connection is secured and automatically proxies /api requests to the linked backend. I wrote an article on the topic: https://techcommunity.microsoft.com/t5/apps-on-azure-blog/access-network-isolated-apis-and-databases-from-azure-static-web/ba-p/3899179
-
Database connections: We hear the feedback requesting private endpoints for this feature, and this is something we are discussing with the database teams who are providing the Data API service.
Izzmo
When you use a full App Service, you can put a Front Door in front of the app service, and then lock down the app service to only receive requests from the Front Door host via service tags. Additionally, you can create a private link from your API to your database inside of a VNET.
This basic functionality with the addition of the Data API will be essential for Enterprise customers.
Describe alternatives you've considered The only alternative is to build this all out with traditional resources manually.
Additional context This is sort of already available where you can lock down access to a specific Front Door host with headers. Unfortunately, this still leaves the app open on the database side.