Exam SC-100 topic 3 question 14 discussion

The answer seems to be correct. https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-

The answer is correct you can also use FDID on the headers.

https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=powershell#restrict-access-to-a-specific-azure-front-door-instance:~:text=Restrict%20access%20to%20a%20specific,that%20Azure%20Front%20Door%20sends.

description of the correct answer https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium

While it is possible to configure access restrictions based on custom HTTP headers, relying solely on the Front Door ID header is not a comprehensive solution.

https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?pivots=front-door-standard-premium&tabs=app-service-functions#public-ip-address-based-origins

Same as Question 15. https://www.examtopics.com/discussions/microsoft/view/79537-exam-sc-100-topic-4-question-15-discussion

A is the answer. https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions#restrict-access-to-a-specific-azure-front-door-instance Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.

When you read the doc you will see that the header filter is critical: "IP address filtering alone isn't sufficient to secure traffic to your origin, because other Azure customers use the same IP addresses. You should also configure your origin to ensure that traffic has originated from your Front Door profile. Azure generates a unique identifier for each Front Door profile. You can find the identifier in the Azure portal, by looking for the Front Door ID value in the Overview page of your profile. When Front Door makes a request to your origin, it adds the X-Azure-FDID request header. Your origin should inspect the header on incoming requests, and reject requests where the value doesn't match your Front Door profile's identifier." https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?pivots=front-door-standard-premium&tabs=app-service-functions#front-door-identifier

Clearly Yes, see comments for previous question variants

The AzureFrontDoor.Backend service tag may contain Backend IP addresses from a few a list Azure Front Doors, eg. Front Door1, Front Door 2, .... If you want to restrict access to a specific Azure Front Door instance, for example Front Door1, you will have to also access restrictions based on HTTP headers that have the Front Door ID.

Yes the answer is correct , its specifially calls out " instance" and to match the defintion given in by MS it should be FD ID not service tag . "Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends."

I believe given answer is correct

Correct is A. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli

https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance

The ans is correct.

The url Petza provides states you can use two ways."To lock down your application to accept traffic only from your specific Front Door, you can set up IP ACLs for your backend or restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door."