az webapp config access-restriction does not support more than one Front Door ID in X-Azure-FDID

[vhhughes]

This is autogenerated. Please review and update as needed.

Describe the bug

When adding a Networking Access Restriction rule for an App Service or Function App in the Azure Portal, the informational pop-up for the X-Azure-FDID field of the "Edit rule" window says "You can specify a unique instance id of Azure Font Door or reverse proxies supporting unique header identification. Enter up to 8 ids separated by a comma". And it works as described. When I try the equivalent in the Azure CLI, it fails if I use more than one Front Door ID.

Specifically, the az webapp config access-restriction add incorrectly limits the length of the --http-header parameter value to 64 characters, when it should be much longer. With each Front Door ID being 36 characters in length, the CLI should allow a value at least 295 characters in length. I only need to specify two Front Door IDs, but even that (74 characters) is too long for a 64-character limit. I can only currently specify one Front Door ID via the Azure CLI.

Command Name
az webapp config access-restriction add

Errors:

From calling it with --debug: 

DEBUG: cli.azure.cli.core.sdk.policies: {"Code":"BadRequest","Message":"Headers is invalid.  The number of 'x-azure-fdid' exceeeds maximum 64 length!","Target":null,"Details":[{"Message":"Headers is invalid.  The number of 'x-azure-fdid' exceeeds maximum 64 length!"},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51021","MessageTemplate":"{0} is invalid.  {1}","Parameters":["Headers","The number of 'x-azure-fdid' exceeeds maximum 64 length!"],"Code":"BadRequest","Message":"Headers is invalid.  The number of 'x-azure-fdid' exceeeds maximum 64 length!"}}],"Innererror":null}
DEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
DEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/appservice/access_restrictions.py", line 84, in add_webapp_access_restriction
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/appservice/_appservice_utils.py", line 21, in _generic_site_operation
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/web/v2022_03_01/operations/_web_apps_operations.py", line 20460, in update_configuration
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Bad Request'

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• az webapp config access-restriction add --resource-group myRG --name myApp --action Allow --rule-name "Allow FrontDoor" --description "Some description" --priority 100 --service-tag AzureFrontDoor.Backend --http-header "x-azure-fdid=2876cff1-35e4-4d99-3ab2-e7a58ceb29c8,57904174-937f-4efb-b94f-4c03dbb675d0"

Expected Behavior

Creates a Network Access Restriction Rule with multiple, comma-delimited Front Door IDs in the X-Azure-FDID field.

Environment Summary

Windows-10-10.0.19044-SP0
Python 3.10.5
Installer: MSI

azure-cli 2.41.0

Extensions:
application-insights 0.1.16
cosmosdb-preview 0.19.0
datafactory 0.6.0
front-door 1.0.16

Dependencies:
msal 1.20.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

[yonzhan]

route to CXP team

[vhhughes]

Any update? Or workaround? We're trying to adopt quite a number of Front Door Premium skus but are currently blocked due to this. I can't manually update many hundreds of App Services via the Azure Portal.

[vhhughes]

route to CXP team

Is that something I need to do? If so, how do I contact the CXP team?

[madsd]

@vhhughes This is already possible. You need to specify each header space separated with name=value as mentioned in the help description

az webapp config access-restriction add --resource-group myRG --name myApp --action Allow --rule-name "Allow FrontDoor" --description "Some description" --priority 100 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=2876cff1-35e4-4d99-3ab2-e7a58ceb29c8 x-azure-fdid=57904174-937f-4efb-b94f-4c03dbb675d0

You can have up to 8 values per header name for each rule.

#please-close

[vhhughes]

Hi @madsd. I saw that listed for az webapp config access-restriction, but it is not at all clear there how to supply the CLI with multiple values for that one, particular header. It does not suggest the same header can be specified more than once. I would suggest the documentation be updated, so others don't also spend months trying to figure this out. Thanks.

[madsd]

Sorry about that. I can take an action to update the help text with an example of two values for one header - similar to the one I added in my previous comment.