Connect Azure Front Door Premium to an Azure Application Gateway with Private Link (Preview)

This article guides you through the steps to configure an Azure Front Door Premium to connect privately to your Azure Application Gateway using Azure Private Link.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• Have a functioning Azure Front Door Premium profile and an endpoint. For more information on how to create an Azure Front Door profile, see Create a Front Door.

• Have a functioning Azure Application Gateway. For more information on how to create an Application Gateway, see Direct web traffic with Azure Application Gateway using Azure portal

Enable private connectivity to Azure Application Gateway

1. Follow the instructions in Configure Azure Application Gateway Private Link, but don't complete the final step of creating a private endpoint.
2. Go to your Application Gateway's Overview tab, note down the Resource group name and Subscription ID
3. From the Overview tab, navigate to the Application Gateway's virtual network
4. Under Settings, select 'Connected devices'
5. Note down the name of the device with type as 'Private link service'.
6. Construct the resource ID of the private link service using the values from previous steps. The format is "subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Network/privateLinkServices/{Private-link-service-name}. This resource ID will be used while configuring the Front Door origin.

Create an origin group and add the application gateway as an origin

1. In your Azure Front Door Premium profile, go to Settings and select Origin groups.

2. Click on Add

3. Enter a name for the origin group

4. Select + Add an origin

5. Use the following table to configure the settings for the origin:

   Setting	Value
   Name	Enter a name to identify this origin.
   Origin Type	Custom
   Host name	Enter the hostname of the listener of your Application Gateway
   Origin host header	Enter the hostname of the listener of your Application Gateway
   HTTP port	80 (default)
   HTTPS port	443 (default)
   Priority	Assign different priorities to origins for primary, secondary, and backup purposes.
   Weight	1000 (default). Use weights to distribute traffic among different origins.
   Private link	Enable private link service
   Select a private link	By ID or alias
   ID/alias	Enter the private link service resource ID obtained while configuring the Application Gateway.
   Region	Select the region that matches or is closest to your origin.
   Request message	Enter a custom message to display while approving the Private Endpoint.

   

6. Select Add to save your origin settings

7. Select Add to save the origin group settings.

Approve the private endpoint

1. Navigate to the Application Gateway you configured with Private Link in the previous section. Under Settings, select Private link.

2. Select Private endpoint connections tab.

3. Find the pending private endpoint request from Azure Front Door Premium and select Approve.

4. After approval, the connection status will update. It can take a few minutes for the connection to fully establish. Once established, you can access your Application Gateway through Front Door. Direct access to the Application Gateway from the public internet is disabled once private endpoint is enabled.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• Azure PowerShell installed locally or Azure Cloud Shell.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option	Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal.

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

• Have a functioning Azure Front Door Premium profile and an endpoint. For more information on how to create an Azure Front Door profile, see Create a Front Door - PowerShell.

• Have a functioning Azure Application Gateway. For more information on how to create an Application Gateway, see Direct web traffic with Azure Application Gateway using Azure PowerShell

Enable private connectivity to Azure Application Gateway

Follow the instructions in Configure Azure Application Gateway Private Link, but don't complete the final step of creating a private endpoint.

Create an origin group and add the application gateway as an origin

1. Use New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject to create an in-memory object for storing the health probe settings.

   $healthProbeSetting = New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject `
       -ProbeIntervalInSecond 60 `
       -ProbePath "/" `
       -ProbeRequestType GET `
       -ProbeProtocol Http
   

2. Use New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject to create an in-memory object for storing load balancing settings.

   $loadBalancingSetting = New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject `
       -AdditionalLatencyInMillisecond 50 `
       -SampleSize 4 `
       -SuccessfulSamplesRequired 3
   

3. Run New-AzFrontDoorCdnOriginGroup to create an origin group that contains your application gateway.

   $origingroup = New-AzFrontDoorCdnOriginGroup `
       -OriginGroupName myOriginGroup `
       -ProfileName myFrontDoorProfile `
       -ResourceGroupName myResourceGroup `
       -HealthProbeSetting $healthProbeSetting `
       -LoadBalancingSetting $loadBalancingSetting
   

4. Get the frontend IP configuration name of the Application Gateway with the Get-AzApplicationGatewayFrontendIPConfig command.

   $AppGw = Get-AzApplicationGateway -Name myAppGateway -ResourceGroupName myResourceGroup
   $FrontEndIPs= Get-AzApplicationGatewayFrontendIPConfig  -ApplicationGateway $AppGw
   $FrontEndIPs.name
   

5. Use the New-AzFrontDoorCdnOrigin command to add your application gateway to the origin group.

   New-AzFrontDoorCdnOrigin ` 
       -OriginGroupName myOriginGroup ` 
       -OriginName myAppGatewayOrigin ` 
       -ProfileName myFrontDoorProfile ` 
       -ResourceGroupName myResourceGroup ` 
       -HostName www.contoso.com ` 
       -HttpPort 80 ` 
       -HttpsPort 443 ` 
       -OriginHostHeader www.contoso.com ` 
       -Priority 1 ` 
       -PrivateLinkId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway ` 
       -SharedPrivateLinkResourceGroupId $FrontEndIPs.name ` 
       -SharedPrivateLinkResourcePrivateLinkLocation CentralUS ` 
       -SharedPrivateLinkResourceRequestMessage 'Azure Front Door private connectivity request' ` 
       -Weight 1000 `
   

   Note

   SharedPrivateLinkResourceGroupId is the name of the Azure Application Gateway frontend IP configuration.

Approve the private endpoint

1. Run Get-AzPrivateEndpointConnection to retrieve the connection name of the private endpoint connection that needs approval.

   Get-AzPrivateEndpointConnection -ResourceGroupName myResourceGroup -ServiceName myAppGateway -PrivateLinkResourceType Microsoft.Network/applicationgateways
   

2. Run Approve-AzPrivateEndpointConnection to approve the private endpoint connection details. Use the Name value from the output in the previous step for approving the connection.

   Get-AzPrivateEndpointConnection -Name aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb.bbbbbbbb-1111-2222-3333-cccccccccccc -ResourceGroupName myResourceGroup -ServiceName myAppGateway -PrivateLinkResourceType Microsoft.Network/applicationgateways
   

Complete Azure Front Door setup

Use the New-AzFrontDoorCdnRoute command to create a route that maps your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.

# Create a route to map the endpoint to the origin group

$Route = New-AzFrontDoorCdnRoute `
    -EndpointName myFrontDoorEndpoint `
    -Name myRoute `
    -ProfileName myFrontDoorProfile `
    -ResourceGroupName myResourceGroup `
    -ForwardingProtocol MatchRequest `
    -HttpsRedirect Enabled `
    -LinkToDefaultDomain Enabled `
    -OriginGroupId $origingroup.Id `
    -SupportedProtocol Http,Https

Your Azure Front Door profile is now fully functional after completing the final step.

Prerequisites

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• An Azure account with an active subscription. Create an account for free.

• A functioning Azure Front Door Premium profile and endpoint. See Create a Front Door - CLI.

• A functioning Azure Application Gateway. See Direct web traffic with Azure Application Gateway - Azure CLI.

Enable private connectivity to Azure Application Gateway

Follow the steps in Configure Azure Application Gateway Private Link, skipping the last step of creating a private endpoint.

Create an origin group and add the application gateway as an origin

1. Run az afd origin-group create to create an origin group.

   az afd origin-group create \
       --resource-group myResourceGroup \
       --origin-group-name myOriginGroup \
       --profile-name myFrontDoorProfile \
       --probe-request-type GET \
       --probe-protocol Http \
       --probe-interval-in-seconds 60 \
       --probe-path / \
       --sample-size 4 \
       --successful-samples-required 3 \
       --additional-latency-in-milliseconds 50
   

2. Run az network application-gateway frontend-ip list to get the frontend IP configuration name of the Application Gateway.

   az network application-gateway frontend-ip list --gateway-name myAppGateway --resource-group myResourceGroup
   

3. Run az afd origin create to add an application gateway as an origin to the origin group.

   az afd origin create \
       --enabled-state Enabled \
       --resource-group myResourceGroup \
       --origin-group-name myOriginGroup \
       --origin-name myAppGatewayOrigin \
       --profile-name myFrontDoorProfile \
       --host-name www.contoso.com \
       --origin-host-header www.contoso.com \
       --http-port 80  \
       --https-port 443 \
       --priority 1 \
       --weight 500 \
       --enable-private-link true \
       --private-link-location centralus \
       --private-link-request-message 'Azure Front Door private connectivity request.' \
       --private-link-resource /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myRGAG/providers/Microsoft.Network/applicationGateways/myAppGateway \
       --private-link-sub-resource-type myAppGatewayFrontendIPName
   

   Note

   private-link-sub-resource-type is the Azure Application Gateway frontend IP configuration name.

Approve the private endpoint connection

1. Run az network private-endpoint-connection list to get the id of the private endpoint connection that needs approval.

   az network private-endpoint-connection list --name myAppGateway --resource-group myResourceGroup --type Microsoft.Network/applicationgateways
   

2. Run az network private-endpoint-connection approve to approve the private endpoint connection using the id from the previous step.

   az network private-endpoint-connection approve --id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/privateEndpointConnections/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb.bbbbbbbb-1111-2222-3333-cccccccccccc
   

Complete Azure Front Door setup

Run az afd route create to create a route that maps your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.

az afd route create \
    --resource-group myResourceGroup \
    --profile-name myFrontDoorProfile \
    --endpoint-name myFrontDoorEndpoint \
    --forwarding-protocol MatchRequest \
    --route-name myRoute \
    --https-redirect Enabled \
    --origin-group myOriginGroup \
    --supported-protocols Http Https \
    --link-to-default-domain Enabled

Your Azure Front Door profile is now fully functional after completing the final step.

Common mistakes to avoid

The following are common mistakes when configuring an Azure Application Gateway origin with Azure Private Link enabled:

1. Configuring Azure Front Door origin before configuring Azure Private Link on the Azure Application Gateway.

2. Configuring the origin with origin type as 'Application Gateway' instead of 'Custom'. When you choose the origin type as 'Application Gateway', the origin hostname is autopopulated with the IP address of the Application Gateway. This can lead to 'CertificateNameValidation' error. This issue can be avoided in public origins by disabling certificate subject name validation. But for private link enabled origins, certificate subject name validation is mandatory.

3. Adding the Azure Application Gateway origin with Azure Private Link to an existing origin group that contains public origins. Azure Front Door doesn't allow mixing public and private origins in the same origin group.

3. Providing an incorrect Azure Application Gateway frontend IP configuration name as the value for SharedPrivateLinkResourceGroupId.

3. Providing an incorrect Azure Application Gateway frontend IP configuration name as the value for private-link-sub-resource-type.

Next steps

Learn about Private Link service with storage account.