Front Door Premium with App Service origin and Private Link

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Visualize Visualize

This template deploys a Front Door Standard/Premium with an App Service origin, using a private endpoint to access the App Service application.

Sample overview and deployed resources

This sample template creates an App Service app and a Front Door profile, and uses a private endpoint (also known as Private Link) to access the App Service.

The following resources are deployed as part of the solution:

App Service

Front Door Standard/Premium

  • Front Door profile, endpoint, origin group, origin, and route to direct traffic to the App Service application.
    • This sample must be deployed using the premium Front Door SKU, since this is required for Private Link integration.
    • The Front Door origin is configured to use Private Link. The behaviour of App Service (as of February 2021) is that, once a private endpoint is configured on an App Service instance, that App Service application will no longer accept connections directly from the internet. Traffic must flow through Front Door for it to be accepted by App Service.

The following diagram illustrates the components of this sample.

Architecture diagram showing traffic inspected by App Service access restrictions.

Deployment steps

You can click the "deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo.

Usage

Connect

Once you have deployed the Azure Resource Manager template, you need to approve the private endpoint connection. This step is necessary because the private endpoint created by Front Door is deployed into a Microsoft-owned Azure subscription, and cross-subscription private endpoint connections require explicit approval. To approve the private endpoint:

  1. Open the Azure portal and navigate to the App Service application.
  2. Click the Networking tab, and then click Configure your private endpoint connections.
  3. Select the private endpoint that is awaiting approval, and click the Approve button. This can take a couple of minutes to complete.

After approving the private endpoint, wait a few minutes before you attempt to access your Front Door endpoint to allow time for Front Door to propagate the settings throughout its network.

You can then access the Front Door endpoint. The hostname is emitted as an output from the deployment - the output is named frontDoorEndpointHostName. You should see an App Service welcome page. If you see an error page, wait a few minutes and try again.

You can also attempt to access the App Service hostname directly. The hostname is also emitted as an output from the deployment - the output is named appServiceHostName. You should see a Forbidden error, since your App Service instance no longer accepts requests that come from the internet.

Tags: Microsoft.Resources/deployments, Microsoft.Web/serverfarms, Microsoft.Web/sites, Microsoft.Cdn/profiles, Microsoft.Cdn/profiles/afdEndpoints, Microsoft.Cdn/profiles/originGroups, Microsoft.Cdn/profiles/originGroups/origins, Microsoft.Cdn/profiles/afdEndpoints/routes