Connect Azure Front Door Premium to an App Service origin with Private Link using Azure CLI

This article will guide you through how to configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service with Azure CLI.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.
  • Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see Create a Front Door - CLI.
  • Have a functioning Web App that is also private. Refer this doc to learn how to do the same.

Note

Private endpoints requires your App Service plan or function hosting plan to meet some requirements. For more information, see Using Private Endpoints for Azure Web App.

Run az afd origin create to create a new Azure Front Door origin. Enter the following settings to configure the App service you want Azure Front Door Premium to connect with privately. Notice the private-link-location must be in one of the available regions and the private-link-sub-resource-type must be sites.

az afd origin create --enabled-state Enabled \
                     --resource-group myRGFD \
                     --origin-group-name og1 \
                     --origin-name pvtwebapp \
                     --profile-name contosoAFD \
                     --host-name example.contoso.com \
                     --origin-host-header example.contoso.com \
                     --http-port 80 \
                     --https-port 443 \
                     --priority 1 \
                     --weight 500 \
                     --enable-private-link true \
                     --private-link-location EastUS \
                     --private-link-request-message 'AFD app service origin Private Link request.' \
                     --private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/appServices\
                     --private-link-sub-resource-type sites 

Approve Azure Front Door Premium private endpoint connection from App Service

  1. Run az network private-endpoint-connection list to list the private endpoint connections for your web app. Note down the Resource ID of the private endpoint connection available in the first line of the output.

    az network private-endpoint-connection list --name webapp1 --resource-group myRGFD --type Microsoft.Web/sites
    
  2. Run az network private-endpoint-connection approve to approve the private endpoint connection

    az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/privateEndpointConnections/00000000-0000-0000-0000-000000000000
    
  3. Once approved, it will take a few minutes for the connection to fully establish. You can now access your app service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled.

Next steps

Learn about Private Link service with App service.