Table of contents

Error: RestrictedIP

Azure Front Door, Microsoft’s CDN solution, enables content delivery across the globe. This includes configuring “Origins” or “Origin Groups”. Essentially, this is the backend configuration from which the data for delivery comes.
It can happen that after successful configuration, the error message RestrictedIP appears in the logs.

Cause of the Error

The official documentation from Microsoft is not very informative for me.

RestrictedIP: The request was blocked because of restricted IP address.

The reason this happened to me is that I entered a private IP address, but Azure Front Door does not have vNet integration. Therefore, Azure Front Door cannot communicate to a private IP address (even if the spoke networks are peered with the hub).

Correct Configuration of Origins

Essentially, there are two ways to configure origins correctly.

Preferred Option: Private Link Origin

The best option (especially from a security perspective) is configuration using Private Link. A detailed description is available in the Microsoft documentation. This currently works with the following services:

• Internal Load Balancer
• Storage Account
• Storage Static Website
• App Service
• Application Gateway
• API Management
• Container App

Second Option: Public Origin

There is, of course, also the option to configure origins that are accessible via a public IP.
Not optimal from a security/architecture perspective, as the endpoint (e.g., of a Storage Account) is exposed even though it should actually only be accessible via Azure Front Door (at least that’s what I would assume).
However, if it’s a service where Private Link is not possible or for other reasons, this is still a viable implementation approach. The public endpoint of the backend (origins) can usually be further secured, for example, with Network Security Group.
It is possible to restrict to AzureFrontDoor.Backend in the Service Tag. This at least restricts access so that only Front Door can access the public endpoint of the origins.