After Lab 2.2 — Recap
25/05/2026Less than 1 minute
After Lab 2.2 — Recap
You made two calls — one through the public API, one directly to the internal backend. Both worked.
The logs show the difference:
{ "event": "internal-service-expected-call", "expectedPath": true }{ "event": "internal-service-direct-access-detected", "expectedPath": false }The internal backend cannot stop the direct call. It can only log that it happened.
| Approach | What it does | Is it enough? |
|---|---|---|
| Expected caller header | Classifies calls | No — any caller can add it |
| Structured logging | Records what happened | No — does not block anything |
| Network segmentation | Blocks unauthorized paths | Yes |
Key takeaway
Logging tells us what happened. Network segmentation stops it from happening.
Note
You also learned to use the Storage Explorer a bit. The Tables in Storage Accounts are a nice (and cheap) option for very simple key-value database requirements.
Bridge to Lab 2.3
In the next lab, we restrict access so that only the public backend can call the internal backend. The direct path should be blocked; the expected path should keep working.