I am wondering how the IP restrictions in Azure App service works. The documentation states:
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
"The IP Restrictions capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. Therefore, IP Restrictions are effectively network ACLs."
But they are not network ACLs, but firewall rules on a different machine - is that a valid statement?
Is there any way to configure extended ACLs (with port based rules) if that is not the case?
Azure web apps only have port 80 & 443 open so there really is no way to do port based rules. If you really want to lock down your web app you can disable the FTP functionality in the Application Settings and you can force HTTPS under the Custom Domain settings. Additionally, if you want to apply Network Security Groups to a Web App, you can deploy it to an App Service Environment (ASE v2) which is an isolated instance that can be deployed with a private IP.
You can also use an Application Gateway with Web App Firewall (WAF) to protect your web app. If you are planning on using an App Gateway with a multi-tenant web app (non-ASE) see our documentation here.