Before Lab 2.2 — Service-to-Service Exposure
Before Lab 2.2 — Service-to-Service Exposure
In Lab 2.2, you will prove that the internal backend service is directly reachable.
Service-to-service communication
In a multi-layer application, services communicate with each other:
Public Backend API → Internal Backend Service → Data LayerThis communication is internal and should not be exposed to the public internet. But an Azure App Service always gets a public hostname — https://<name>.azurewebsites.net — reachable from anywhere by default.
Expected caller header
The Day 2 application uses an expected caller header as a teaching mechanism. When the public backend calls the internal backend it adds:
X-Internal-Caller: backend-apiThe internal backend checks for this header and logs whether the call came through the expected path or directly from outside.
This is not a security control
The expected caller header is a teaching tool, not real security.
Any caller can add this header. Real network segmentation is done at the infrastructure level.
What to look for in Lab 2.2
Lab 2.2 checklist
Lab focus
In Lab 2.2, do not fix the architecture yet.
Your goal is to demonstrate the problem and observe the logs.