How to secure a node.js server on Azure App Service

I’m trying to secure access to my App Service on Azure. I have read the doc about this:

However, I don’t understand where the local service is started between the Dockerfile and start.sh in those instructions.

My app service is a Node.js server, and my Dockerfile before enabling Tailscale looks like this:

FROM node:lts-alpine
ENV NODE_ENV=production
WORKDIR /usr/src/app
COPY ["package.json", "package-lock.json*", "npm-shrinkwrap.json*", "./"]
RUN npm install --production --silent && mv node_modules ../
COPY . .
EXPOSE 3000
RUN chown -R node /usr/src/app
USER node
CMD ["npm", "start"]

How would I add the tailscale setup to this?