AZ-700 · Question #211
AZ-700 Question #211: Real Exam Question with Answer & Explanation
The correct answer is A: an access restriction. Azure App Service has a built-in 'Access Restrictions' feature that allows you to whitelist or blacklist traffic based on IP addresses, service tags, or HTTP headers. To ensure App1 is only accessible through Azure Front Door and not directly from the internet, you configure an a
Question
You have an Azure subscription that contains an Azure Front Door named FD1. You plan to deploy an app named App1 by using Azure App Service. Users will access App1 by using FD1. You need to provide FD1 with access to App1. The solution must meet the following requirements: - Ensure that users can only access App1 by using FD1. - Ensure that users cannot access App1 directly from the internet. What should you create for App1?
Options
- Aan access restriction
- Ba private endpoint
- Ca subnet delegation
- Da service endpoint
Explanation
Azure App Service has a built-in 'Access Restrictions' feature that allows you to whitelist or blacklist traffic based on IP addresses, service tags, or HTTP headers. To ensure App1 is only accessible through Azure Front Door and not directly from the internet, you configure an access restriction rule that allows traffic only from the 'AzureFrontDoor.Backend' service tag, and deny all other inbound traffic. Front Door also injects the 'X-Azure-FDID' header which can be validated. A private endpoint (B) would expose the app on a private IP inside a VNet, but this doesn't natively integrate with Front Door's public-facing architecture without additional complexity. Subnet delegation (C) is for delegating a subnet to a specific Azure service, not for restricting app access. A service endpoint (D) allows a VNet to reach Azure PaaS services privately but doesn't restrict who can reach the app from the internet.
Community Discussion
No community discussion yet for this question.