After Lab 2.1 — Recap
25/05/2026Less than 1 minute
After Lab 2.1 — Recap
You mapped the exposure of every component and found that four have public endpoints — but two of them should not.
| Component | Public endpoint? | Should be public? |
|---|---|---|
| Frontend | Yes | Yes |
| Public Backend API | Yes | Yes |
| Internal Backend Service | Yes | No |
| DB Storage Account | Yes | No |
The direct path to the internal backend bypasses any authentication, rate limiting, or input validation enforced by the public API. The DB storage account with public access enabled means a leaked connection string or access key is usable from anywhere.
Key takeaway
A service is not private because we call it "backend" or "internal". If it has a public URL, IP and is accessable by anyone over the internet, it is public.
Bridge to Lab 2.2
In the next lab, we prove the problem — calling the internal backend directly and observing what happens.