Connect Azure Front Door Premium to an App Service origin with Private Link

This article will guide you through how to configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service.

Prerequisites

Note

Private endpoints requires your App Service plan or function hosting plan to meet some requirements. For more information, see Using Private Endpoints for Azure Web App.

Sign in to Azure

Sign in to the Azure portal.

In this section, you'll map the Private Link service to a private endpoint created in Azure Front Door's private network.

  1. Within your Azure Front Door Premium profile, under Settings, select Origin groups.

  2. Select the origin group that contains the App Service origin you want to enable Private Link for.

  3. Select + Add an origin to add a new app service origin or select a previously created App service origin from the list.

    Screenshot of enabling private link to a Web App.

  4. The table below has information of what values to select in the respective fields while enabling private link with Azure Front Door. Select or enter the following settings to configure the App service you want Azure Front Door Premium to connect with privately.

    Setting Value
    Name Enter a name to identify this storage blog origin.
    Origin Type Storage (Azure Blobs)
    Host name Select the host from the dropdown that you want as an origin.
    Origin host header You can customize the host header of the origin or leave it as default.
    HTTP port 80 (default)
    HTTPS port 443 (default)
    Priority Different origin can have different priorities to provide primary, secondary, and backup origins.
    Weight 1000 (default). Assign weights to your different origin when you want to distribute traffic.
    Region Select the region that is the same or closest to your origin.
    Target sub resource The type of sub-resource for the resource selected above that your private endpoint will be able to access. You can select site.
    Request message Customize message or choose the default.
  5. Select Add to save your configuration. Then select Update to save the origin group settings.

Approve Azure Front Door Premium private endpoint connection from App Service

  1. Go to the App Service you configured Private Link for in the last section. Select Networking under Settings.

  2. In Networking, select Configure your private endpoint connections.

    Screenshot of networking settings in a Web App.

  3. Select the pending private endpoint request from Azure Front Door Premium then select Approve.

    Screenshot of pending private endpoint request.

  4. Once approved, it should look like the screenshot below. It will take a few minutes for the connection to fully establish. You can now access your app service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled.

    Screenshot of approved endpoint request.

Next steps

Learn about Private Link service with App service.