Connect Azure Front Door Premium to a Storage Account origin with Private Link with Azure CLI
This article provides a step-by-step guide on how to configure Azure Front Door Premium to connect to your Storage Account privately using Azure Private Link with Azure CLI.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Prerequisites:
- An active Azure subscription. Create a free account.
- A functioning Azure Front Door Premium profile, endpoint, and origin group. For setup instructions, see Create a Front Door - CLI.
- A private Storage Account. Refer to this documentation for guidance.
Note
Private endpoints require your Storage Account to meet specific requirements. For more information, see Using Private Endpoints for Azure Storage.
Enable Private Link to a Storage Account in Azure Front Door Premium
Run the az afd origin create command to create a new Azure Front Door origin. Use the following settings to configure the Storage Account for private connection. Ensure the private-link-location is in one of the available regions and the private-link-sub-resource-type is blob.
az afd origin create --enabled-state Enabled \
--resource-group myRGFD \
--origin-group-name og1 \
--origin-name mystorageorigin \
--profile-name contosoAFD \
--host-name mystorage.blob.core.windows.net \
--origin-host-header mystorage.blob.core.windows.net \
--http-port 80 \
--https-port 443 \
--priority 1 \
--weight 500 \
--enable-private-link true \
--private-link-location EastUS \
--private-link-request-message 'AFD storage origin Private Link request.' \
--private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage \
--private-link-sub-resource-type blob
Approve Azure Front Door Premium private endpoint connection from Azure Storage
Run the az network private-endpoint-connection list command to list the private endpoint connections for your storage account. Note the
Resource IDof the private endpoint connection from the output.az network private-endpoint-connection list --name mystorage --resource-group myRGFD --type Microsoft.Storage/storageAccountsRun the az network private-endpoint-connection approve command to approve the private endpoint connection.
az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage/privateEndpointConnections/mystorage.00000000-0000-0000-0000-000000000000After approval, it can take a few minutes for the connection to be fully established. Once established, Azure Front Door Premium can access your storage account. Public internet access to the storage account is disabled once the private endpoint is enabled.
Note
If the blob or container within the storage account does not allow anonymous access, requests must be authorized. One way to authorize requests is by using shared access signatures.
Next steps
Learn more about Private Link service with storage account.