ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 3 question 12 discussion

Actual exam question from Microsoft's SC-100
Question #: 12
Topic #: 3
[All SC-100 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions to allow traffic from the backend IP address of the Front Door instance.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by PlumpyTumbler at Aug. 31, 2022, 2:44 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PlumpyTumbler
Highly Voted 2 years, 3 months ago
These questions repeat in this exam dump. They are found again in a later section. The answer is SERVICE TAGS. The explanations are confused. They say the correct answer in some places and incorrect in others. Focus on the screenshot provided. It shows you the answer. A picture is worth a thousand words.
upvoted 13 times
AzureJobsTillRetire
1 year, 9 months ago
This cannot be correct. Service tag is just a list of IP addresses.
upvoted 1 times
[Removed]
1 year, 8 months ago
This must be correct, as service tag is precisely what we need. Definition of service tag: A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Link to the screenshot, you can see the type of service tag which in our case is AzureFrontDoor.Backend: https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#set-a-service-tag-based-rule
upvoted 1 times
...
...
...
zellck
Highly Voted 1 year, 6 months ago
Selected Answer: B
B is the answer. https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions#restrict-access-to-a-specific-azure-front-door-instance Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.
upvoted 6 times
...
Arockia
Most Recent 11 months ago
To securely restrict access to Azure App Service web apps through Azure Front Door, a more robust approach is required: 1. Service Tag-Based Access Restrictions 2. Custom Headers
upvoted 1 times
...
EM1234
1 year, 7 months ago
Selected Answer: B
When you read the doc you will see that the header filter is critical: "IP address filtering alone isn't sufficient to secure traffic to your origin, because other Azure customers use the same IP addresses. You should also configure your origin to ensure that traffic has originated from your Front Door profile. Azure generates a unique identifier for each Front Door profile. You can find the identifier in the Azure portal, by looking for the Front Door ID value in the Overview page of your profile. When Front Door makes a request to your origin, it adds the X-Azure-FDID request header. Your origin should inspect the header on incoming requests, and reject requests where the value doesn't match your Front Door profile's identifier." https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?pivots=front-door-standard-premium&tabs=app-service-functions#front-door-identifier
upvoted 4 times
...
Ajdlfasudfo0
1 year, 9 months ago
Selected Answer: A
You have to restrict traffic to front door backend pool only. This can be done via IP Range, HTTP Header or service tag. So I would go with A.
upvoted 4 times
...
omarrob
2 years ago
A is correct and i was using this method based on an opened ticket with Microsoft Support three years ago where they recommend to do access restriction using the Frontdoor instance ipv4 and ipv6. that time the frontdoor service tag was not yet available. so this particular question is correct using the frontdoor backend IP or the service tag or the HTTP header, ALL ARE CORRECT Below are the front door IP range provided by Microsoft support 147.243.0.0/16 2a01:111:2050::/44
upvoted 6 times
...
JCkD4Ni3L
2 years, 2 months ago
Selected Answer: B
Service Tag is the correct answer, thus NO (B).
upvoted 4 times
...
zts
2 years, 3 months ago
Selected Answer: B
Service Tag
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel