The correct configuration to ensure Azure App Service web apps only allow access through Azure Front Door involves configuring gateway-required virtual network integration. This approach effectively restricts the traffic to your web apps exclusively to that which is routed through the Azure Front Door service.
By enabling gateway-required virtual network integration, you create a scenario where the web app listens only to requests that originate from the specified Azure Front Door instance. This acts as an additional layer of security, ensuring that direct access to the web app is not permitted, hence influencing a strong security posture by mandating all traffic to pass through a controlled entry point.
While other options like IP whitelisting, service endpoints, and utilizing Azure Web Application Firewall have their respective roles in enhancing security, they do not strictly enforce that traffic can only come through Azure Front Door. IP whitelisting, for example, allows specific IP addresses, but doesn't effectively prevent other traffic types. Similarly, service endpoints enhance connectivity and security for Azure services but do not restrict access based solely on gateway requirements. The Azure Web Application Firewall provides protections against common web vulnerabilities but does not dictate traffic routing in the way that virtual network integration would.