You have resources in three Azure regions. Each region contains two virtual machines. Each virtual machine has a public IP address assigned to its network interface and a locally installed application named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front Door.
What should you implement?
Click on the arrows to vote for the correct answer
A. B. C. D.C
Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only. Refer the IP details below for ACLing your backend:
-> Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4 backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faqTo ensure that App1 on the virtual machines only accepts traffic routed from Azure Front Door, we need to implement network security controls that restrict inbound traffic to the virtual machines. Therefore, the correct answer is either C or D. However, as we need to allow traffic only from Azure Front Door, which is a globally distributed service that acts as a reverse proxy, we need to use the specific service tags of Azure Front Door in our NSGs. Thus, the correct answer is C, which is network security groups (NSGs) with service tags.
Option A, Azure Private Link, is not relevant in this scenario because it provides secure access to services over a private endpoint in your VNet. It is used to access Azure PaaS services privately and securely from your VNet.
Option B, service endpoints, is used to extend the VNet connectivity to Azure services over a private link. It ensures that the traffic between the VNet and the Azure service remains on the Microsoft Azure backbone network. However, this is not the best solution in this scenario because it does not provide a way to restrict traffic only to Azure Front Door.
Option D, network security groups (NSGs) with application security groups, can be used to group virtual machines and create security rules that allow or deny traffic between them. However, this option is not the best fit for this scenario as we need to allow traffic only from Azure Front Door, which can't be defined by application security groups.
In conclusion, the best solution to ensure that App1 on the virtual machines only accepts traffic routed from Azure Front Door is to implement network security groups (NSGs) with service tags.