ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 4 question 14 discussion

Actual exam question from Microsoft's SC-100
Question #: 14
Topic #: 4
[All SC-100 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions that allow traffic from the Front Door service tags.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by [deleted] at Sept. 2, 2022, 1:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
emiliocb4
Highly Voted 2 years, 4 months ago
Selected Answer: B
if you want to block the access to A SPECIFIC front door instance the answer is B... if you want to block to any front door instance is A.... i will go for B in this case
upvoted 11 times
Ramye
1 year ago
Since the question did not mention any specific FDI then the answer should be A. If it mentioned specific FDI certainly B as it's missing the Header info.. info below "Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front"
upvoted 1 times
Ramye
1 year ago
Apologies missed out a couple of words to complete the sentence, so sharing it again. Thx "Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends."
upvoted 1 times
...
...
...
PlumpyTumbler
Highly Voted 2 years, 5 months ago
Selected Answer: A
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#restrict-access-to-a-specific-azure-front-door-instance
upvoted 9 times
Ramye
1 year ago
It's A because it did not state that it needs to originate from a specific FDI so no Header info is needed so it meets the needs.
upvoted 1 times
...
mikenyga
2 years, 5 months ago
Why A? Access Front Door instance, not any Front Door. Filter by http header : X-Azure-FDID
upvoted 6 times
Gurulee
1 year, 11 months ago
Agreed
upvoted 1 times
...
Learing
2 years, 3 months ago
You actually need both, as headers can be set freely by whoever is calling
upvoted 1 times
TJ001
2 years, 1 month ago
It is combination of service tag and X-Azure-FDID header so this is a case where both are needed. It is explicitly mentioned in the link (to use together) https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium#public-ip-address-based-origins
upvoted 2 times
...
...
...
...
Murtuza
Most Recent 1 year, 1 month ago
Selected Answer: B
Answer is correct: B
upvoted 1 times
...
calotta1
1 year, 5 months ago
Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends. I'd say B https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance
upvoted 1 times
...
zellck
1 year, 9 months ago
Selected Answer: B
B is the answer. https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions#restrict-access-to-a-specific-azure-front-door-instance Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.
upvoted 1 times
...
uffman
1 year, 9 months ago
Selected Answer: B
Restricting using service tag is not enough, see https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#restrict-access-to-a-specific-azure-front-door-instance
upvoted 3 times
...
smudo1965
1 year, 10 months ago
Selected Answer: A
Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends.
upvoted 1 times
...
Gurulee
1 year, 11 months ago
Selected Answer: B
Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends.
upvoted 2 times
...
Gurulee
1 year, 11 months ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance
upvoted 2 times
...
AzureJobsTillRetire
1 year, 11 months ago
Selected Answer: B
There are at least three front door service tags. The question is not specific, and it cannot be true. AzureFrontDoor.Frontend AzureFrontDoor.Backend AzureFrontDoor.FirstParty https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
upvoted 3 times
gsesh32
11 months ago
This is the most logical justification for option B here. Thanks
upvoted 1 times
...
...
hamshoo
2 years, 2 months ago
Selected Answer: B
Restricting using service tag is not enough as mentioned below. the answer is correct https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#restrict-access-to-a-specific-azure-front-door-instance
upvoted 3 times
...
JakeCallham
2 years, 3 months ago
Guys Http headers is correct and service tags is correct. Please look it up before claiming headers is wrong. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-
upvoted 3 times
...
darkpangel
2 years, 4 months ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
upvoted 2 times
...
inzza
2 years, 4 months ago
Answer is A
upvoted 1 times
...
d3an
2 years, 4 months ago
Selected Answer: B
HTTP header required to restrict to the specific Front Door instance(s).
upvoted 3 times
...
darren888
2 years, 5 months ago
B is correct To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends. The app service would qualify as a specific instance the service tag is not enough
upvoted 3 times
Ramye
1 year ago
No, it should be the other way - the App will accept traffic that originates from FDI. Now service tag should be enough if the traffic does not have to originate from a specific FDI. Header info is needed if the traffic originates from a specific FDI.
upvoted 1 times
...
...
InformationOverload
2 years, 5 months ago
Selected Answer: A
A is correct
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel