How Can I Secure My Azure Backend to Only Accept Traffic from My Static Web App?

From an Azure architecture standpoint, a Private Application Gateway could be a good solution. This would keep your backend web app isolated so it can only accept traffic from your private network. Just make sure both your static web app and backend are connected to the same Virtual Network (VNet), and consider setting up a Private DNS solution for optimal access.

You might consider using Cloudflare for your domain management and traffic filtering. They can handle DDoS protection and SSL termination, and once you've set that up, you could configure your backend to only accept traffic from your specific Cloudflare account. Just a heads up, you would still need someone from your IT team to manage the DNS and domain aspects. If they're capable, it could be a smoother path! I dealt with something similar and can tell you it takes time, but it can help streamline the process in the long run.

Keep in mind that your static web app runs in the users' browsers, which means it’s exposed on the public internet. While you can use a Web Application Firewall (WAF) for some filtering, your backend will remain accessible to the internet. It's tough to completely prevent that access. However, if your frontend has security measures, like a login system and firewalls, that might serve for your current needs.

If you want to control access more tightly, setting up an API Gateway or Backend for Frontend (BFF) API might be your best bet. This can help you manage requests more securely between your frontend and backend.