Seamlessly deploy Azure Front Door Premium with Private Endpoint to App Services

Photo of author

Dan Rios

3 min read

Contents

Introduction

The Bicep template to deploy this is uploaded to my GitHub here. Deploys in minutes!

Azure Front Door Premium allows Private Link connections to Azure PaaS services such as Azure Storage, App services and even AKS/Azure Container Apps.

Private Endpoints allow us to securely send traffic via the Azure backbone network with Microsoft directly to your virtual network without leaving and going via the internet.

In this post I’ll detail the benefits of Azure Front Door Premium integration to your Azure App service, what the deployment looks like and an Azure Bicep template to quick start deploy all the components in a matter of minutes!

Azure Front Door Premium with Private Link to App Services

Benefits

Seamless integration. Front Door will directly connect to the origin backend directly rather than having to transverse through public service endpoints.

Security. Using a Private Endpoints means the traffic is not sent out to the web and is retained within the Microsoft backbone to your private internal virtual network.

Only one Private Endpoint needed. Microsoft handles this and you only need to approve the PE once to your backend origin and it’s all done!

Considerations

  • Regions available for Azure Front Door Premium with Private Link are lacking – UK West is missing at the time of writing for example.
  • Private Endpoints add additional costs and complexity that may be not necessary for your end goal or business needs.
  • Can alternatively setup an AzureFrontDoor.Backend Service Tag on the Azure Web App access restrictions, specifying your Front Door GUID to lock it down.

Deploying Azure Front Door Premium with Private Endpoint to App Service backend

You must have two resource groups already deployed as a pre-requisite for the Bicep template.

riosengineer/bicep-quickstart-frontdoor-private-endpoint-appservice: Template to deploy Azure Front Door premium with Private Endpoint to your Azure App service (github.com)

The components deployed & automatically configured by the Bicep template are as follows:

  • Azure Front Door Premium with WAF
  • Private Link to App Service (pending status)
  • Windows App Service & App Plan
  • Log Analytics workspace
  • Enabling App Insights
  • Enabling system-assigned managed identity on the app
  • Virtual Network & vNet integration

All of the Azure Bicep code used is uploaded to my GitHub here.

Fork the repository and deploy using the instructions in the README file after amending the parameters to suit your deployment needs.

Once deployed, in the portal search bar, locate Private Link Centre and under the Pending connections approve the connection:

In the newly created Azure App – Networking tab we can now see that the Private Endpoint is configured, along with vNet integration and public access denied via Bicep.

Then, checking the Azure Front Door Origin group we can see Bicep has automatically populated the private link service and it’s details:

Here, we can see the Bicep template has automatically enabled the Private Link service on the origin and specified the region, sub resource of sites which refers to the underlying Web App ‘serverfarm’ resources and a simple message for the Private Endpoint requesting message.

Lastly, checking the Front Door endpoint URL we are able to resolve directly to the default web app splash page to confirm it’s all working:

Front Door can take sometime to propagate so don’t be alarmed if the Front Door Endpoint URL doesn’t work immediately!

Conclusion

That’s it! Really sleek and elegant solution to securing your PaaS services behind Azure Front Door Premium features. You can easily amend my Bicep template to change the app SKUs, or code stack etc.

I’ve further tested this setup with Azure Container Apps and it works flawlessly too. You just need to use the Microsoft managed Kubernetes load balancer as the origin host for it to work.

The initial Bicep code is from the Bicep ResourceModules repository over on GitHub (aka CARML aka soon to be Azure Verified Modules), and modified for this deployment.

There is an example of Front Door Premium with App Services Bicep on Microsoft Learn, however, it does not enable Private Link & does not turn on any features such as Application Insights, managed identities, vNet integration, etc.

This is partially what spurred me on to create this more conclusive quickstart template and guide to compliment.

References

Pricing – Front Door | Microsoft Azure

Comparison between Azure Front Door and Azure CDN services | Microsoft Learn

Secure traffic to origins – Azure Front Door | Microsoft Learn

Leave a comment


Latest Posts

Azure Lean Coffee Episode 3

Azure Lean Coffee – Episode 3

Azure Spring Clean 2024

Azure Spring Clean: Azure best practice for Bicep with PSRule

Azure Container App

Continuous deployment to Azure Container Apps with Azure DevOps

Get Azure posts

straight to your inbox

Let's connect

Privacy policy

© 2024 Dan Rios

Skip to content