What is the proper way to limit access to a static web app?

[plamber]

Hi, I was wondering if there are some recommendations to limit direct internet access to a Static Web App?

I would like to explore the possibility to put an Azure Front-Door in front of a Static Web app and allow access only through Azure Front-Door. For Azure Web Apps I am doing this by using an internal network and limit the access to the port 443 or 80 to front-door only.

Thank you for your feedback, Patrick

[miwebst]

Hey @plamber, we are working on a feature to allow you to limit access to either a private endpoint or a set of ipv4 addresses, I believe this will unblock you.

As for ports, static web apps only operate over HTTPS so 443 is the only reachable port already.

[plamber]

Hi @miwebst , This is exactly what I was looking for.

Do you have some rough estimates when this might become an option?

Thank you for the awesome work

[miwebst]

A rough estimate, as we have a number of things in flight, for the ipv4 config will be 1-2 months. For the private endpoint integration, we are waiting on changes from another team so I don't have an ETA for that yet.

[plamber]

Thank you

[superhp]

Hi. @miwebst. Is there any status update regarding the access restrictions to SWA? And will it be possible to apply the restriction separately for production and staging environments (in case we want production to be publicly available while staging/test environments private)?

[ozkary]

@plamber Did you use Front-Door for your setup? We are trying to use a WAF (firewall) to manage exploits, and using Front-Door looks to be the best approach for this use case.

[anthonychu]

We recently added the ability to restrict inbound traffic to specific IP blocks. See the Networking section of the config documentation. @ozkary you should be able to use this capability to restrict access to your Azure Application Gateway WAF.

For Front Door, we're working on the ability to restrict inbound traffic to specified service tags which would allow you to restrict access to Front Door only. We hope to have this capability in the next couple of months.

[simonaco]

@plamber @ozkary you can now configure your static web apps to allow access only from your Azure Front Door instance, check out steps here and let us know if you have any feedback please Add Azure Frontdoor

[plamber]

Thank you @simonaco. Do you have some recommendations how provision these settings using an ARM or bicep template?

[simonaco]

@plamber here's a repo with an arm template for creating the azure front door resource & static web app. you would still need to save the generated front door id into the swa config file.

[plamber]

Hi @simonaco, thank you very much for the sample repo. Do you have an example how to manipulate the SWA config file through arm? I am currently missing this piece.

I am looking for a way to provision the resource from an infrastructure as a code perspective without the need of manually adding the generated id to the config file.

Thank you, Patrick

[FrankFengYu]

Hi, same situation here, we need to deploy SWA in Environments a,b,c,d. In c and d, the SWA will be behind the front door. Not sure if there is any elegant way to do this.

I'm think of adding bash/or pwsh script in the deployment pipeline to replace the strings in the staticwebappconfig.json with the Frontdoor ID and its domain name.

[kiranpradeep]

Is there an update from an infra perspective? For us, the whitelist comes from Akamai.

[rbnmk]

What about connecting an Azure Front Door Premium via Private endpoints to the SWA? Just like App Services and Storage origins? Any roadmap on this?