Governance Policies Integration Frontend Backend - Azure/az-prototype GitHub Wiki
Governance policies for Frontend Backend
Domain: integration
| Name | Description |
|---|---|
| SWA with linked Container App backend | Static Web App routing /api/* to Container App via linked backend with auth passthrough |
| Front Door with split frontend/API routing | Front Door with separate origin groups for SWA frontend (cached) and API backend (uncached, private link) |
| Easy Auth with Entra ID | Platform-level authentication via Easy Auth v2 with Entra ID OpenID Connect provider |
| Description | Instead |
|---|---|
| Do not serve APIs without CORS restrictions from browser-based frontends | Configure explicit allowed origins matching the frontend domain |
| Do not expose backend services directly without CDN or gateway | Use Front Door or SWA linked backend for frontend-to-API routing |
| Do not use default GitHub auth for enterprise applications | Configure custom Entra ID authentication via Easy Auth or MSAL |
- Static Web Apps linked backends
- Front Door origin groups
- App Service Easy Auth
- Static Web Apps custom authentication
- Container Apps CORS policy
| Check | Severity | Description |
|---|---|---|
| CC-INT-FB-001 | Required | Configure Static Web App with linked backend API for managed API routing and authentication passthrough |
| CC-INT-FB-002 | Required | Configure CORS with explicit allowed origins on all API backends serving browser-based frontends |
| CC-INT-FB-003 | Required | Configure Azure Front Door or CDN with origin groups for frontend + API backend routing |
| CC-INT-FB-004 | Required | Configure authentication using Easy Auth (App Service/Functions) or MSAL (SPA) with Entra ID |
Configure Static Web App with linked backend API for managed API routing and authentication passthrough
Severity: Required
Rationale: Linked backends provide managed routing from SWA to API backends; authentication context is automatically forwarded
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.Web/staticSites
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.Network/frontDoors
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Web/staticSites/linkedBackends | api-backend | Linked backend routing /api/* requests from SWA to Container App or Functions |
| Microsoft.ManagedIdentity/userAssignedIdentities | id-api | User-assigned managed identity for the API backend |
Configure CORS with explicit allowed origins on all API backends serving browser-based frontends
Severity: Required
Rationale: CORS misconfiguration either blocks legitimate frontends or exposes APIs to cross-origin attacks
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.Web/staticSites
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.Network/frontDoors
Configure Azure Front Door or CDN with origin groups for frontend + API backend routing
Severity: Required
Rationale: Front Door provides global load balancing, WAF protection, and edge caching; origin groups separate static and API traffic
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Web/staticSites
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.Network/frontDoors
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Cdn/profiles/originGroups | og-frontend | Origin group for static frontend with health probes |
| Microsoft.Cdn/profiles/afdEndpoints/routes | route-frontend | Route for /* to frontend origin group with caching enabled |
| Microsoft.Cdn/profiles/securityPolicies | waf-policy | WAF security policy applied to the Front Door endpoint |
Configure authentication using Easy Auth (App Service/Functions) or MSAL (SPA) with Entra ID
Severity: Required
Rationale: Authentication must be enforced at the platform or application level; Easy Auth handles token validation without application code changes
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.Web/staticSites
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.Network/frontDoors
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Web/sites/config | authsettingsV2 | Easy Auth v2 configuration for App Service with Entra ID provider |
| Microsoft.Web/staticSites/config | appsettings | SWA app settings containing auth client ID and Key Vault-backed client secret |