Connect Azure Front Door Premium to an App Service origin with Private Link using Azure CLI

This article guides you through configuring Azure Front Door Premium to connect to your App Service privately using Azure Private Link with Azure CLI.

Prerequisites

Prerequisites:

Note

Private endpoints require your App Service plan or function hosting plan to meet certain requirements. For more information, see Using Private Endpoints for Azure Web App.

Run the az afd origin create command to create a new Azure Front Door origin. Use the following settings to configure the App Service you want Azure Front Door Premium to connect with privately. Ensure the private-link-location is in one of the available regions and the private-link-sub-resource-type is sites.

az afd origin create --enabled-state Enabled \
                     --resource-group myRGFD \
                     --origin-group-name og1 \
                     --origin-name pvtwebapp \
                     --profile-name contosoAFD \
                     --host-name example.contoso.com \
                     --origin-host-header example.contoso.com \
                     --http-port 80 \
                     --https-port 443 \
                     --priority 1 \
                     --weight 500 \
                     --enable-private-link true \
                     --private-link-location EastUS \
                     --private-link-request-message 'AFD app service origin Private Link request.' \
                     --private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/appServices \
                     --private-link-sub-resource-type sites

Approve Azure Front Door Premium private endpoint connection from App Service

  1. Run the az network private-endpoint-connection list command to list the private endpoint connections for your web app. Note the Resource ID of the private endpoint connection on the first line of the output.

    az network private-endpoint-connection list --name webapp1 --resource-group myRGFD --type Microsoft.Web/sites
    
  2. Run the az network private-endpoint-connection approve command to approve the private endpoint connection.

    az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/privateEndpointConnections/00000000-0000-0000-0000-000000000000
    
  3. Once approved, it takes a few minutes for the connection to fully establish. You can now access your App Service from Azure Front Door Premium. Direct access to the App Service from the public internet will be disabled after the private endpoint is enabled.

Next steps

Learn more about Private Link service with App Service.