Connect Azure Front Door Premium to an App Service origin with Private Link using Azure CLI
This article will guide you through how to configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service with Azure CLI.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- An Azure account with an active subscription. Create an account for free.
- Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see Create a Front Door - CLI.
- Have a functioning Web App that is also private. Refer this doc to learn how to do the same.
Note
Private endpoints requires your App Service plan or function hosting plan to meet some requirements. For more information, see Using Private Endpoints for Azure Web App.
Enable Private Link to an App Service in Azure Front Door Premium
Run az afd origin create to create a new Azure Front Door origin. Enter the following settings to configure the App service you want Azure Front Door Premium to connect with privately. Notice the private-link-location
must be in one of the available regions and the private-link-sub-resource-type
must be sites.
az afd origin create --enabled-state Enabled \
--resource-group myRGFD \
--origin-group-name og1 \
--origin-name pvtwebapp \
--profile-name contosoAFD \
--host-name example.contoso.com \
--origin-host-header example.contoso.com \
--http-port 80 \
--https-port 443 \
--priority 1 \
--weight 500 \
--enable-private-link true \
--private-link-location EastUS \
--private-link-request-message 'AFD app service origin Private Link request.' \
--private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/appServices\
--private-link-sub-resource-type sites
Approve Azure Front Door Premium private endpoint connection from App Service
Run az network private-endpoint-connection list to list the private endpoint connections for your web app. Note down the
Resource ID
of the private endpoint connection available in the first line of the output.az network private-endpoint-connection list --name webapp1 --resource-group myRGFD --type Microsoft.Web/sites
Run az network private-endpoint-connection approve to approve the private endpoint connection
az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/privateEndpointConnections/00000000-0000-0000-0000-000000000000
Once approved, it will take a few minutes for the connection to fully establish. You can now access your app service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled.
Next steps
Learn about Private Link service with App service.