Edit

Share via

Connect Azure Front Door Premium to a storage account origin with Private Link

Applies to: ✔️ Front Door Premium

This article guides you through configuring Azure Front Door Premium to connect privately to a storage account origin using Azure Private Link service.

Prerequisites

  • A Private Link. For more information, see Create a Private Link service.

  • Azure Cloud Shell or Azure CLI.

    The steps in this article run the Azure CLI commands interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

    You can also install Azure CLI locally to run the commands. If you run Azure CLI locally, sign in to Azure using the az login command.

Note

Private endpoints require your Storage Account to meet specific requirements. For more information, see Using Private Endpoints for Azure Storage.

In this section, you map the Private Link service to a private endpoint created in Azure Front Door's private network.

  1. Within your Azure Front Door Premium profile, under Settings, select Origin groups.

  2. Select the origin group that contains the storage account origin you want to enable Private Link for.

  3. Select + Add an origin to add a new storage account origin or select a previously created storage account origin from the list.

  4. Select or enter the following values to configure the storage blob you want Azure Front Door Premium to connect with privately.

    Setting Value
    Name Enter a name to identify this storage blog origin.
    Origin type Storage (Azure Blobs)
    Host name Select the host from the dropdown that you want as an origin.
    Origin host header You can customize the host header of the origin or leave it as default.
    HTTP port 80 (default)
    HTTPS port 443 (default)
    Priority Different origin can have different priorities to provide primary, secondary, and backup origins.
    Weight 1000 (default). Assign weights to your different origin when you want to distribute traffic.
    Region Select the region that is the same or closest to your origin.
    Target sub resource The type of subresource for the resource selected previously that your private endpoint can access.
    Request message Custom message to see while approving the Private Endpoint.

    Screenshot of enabling private link to a storage account.

  5. Select Add to save your configuration.

  6. Select Update to save the origin group settings.

Note

Ensure the origin path in your routing rule is configured correctly with the storage container file path so file requests can be acquired.

Use the az afd origin create command to create a new Azure Front Door origin. The private-link-location value must be from the available regions and the private-link-sub-resource-type value is blob.

az afd origin create --enabled-state Enabled \
                     --resource-group 'myResourceGroup' \
                     --origin-group-name 'og1' \
                     --origin-name 'mystorageorigin' \
                     --profile-name 'contosoAFD' \
                     --host-name 'mystorage.blob.core.windows.net' \
                     --origin-host-header 'mystorage.blob.core.windows.net' \
                     --http-port 80 \
                     --https-port 443 \
                     --priority 1 \
                     --weight 500 \
                     --enable-private-link true \
                     --private-link-location 'EastUS' \
                     --private-link-request-message 'AFD storage origin Private Link request.' \
                     --private-link-resource '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorage' \
                     --private-link-sub-resource-type blob

Approve Front Door private endpoint connection from the storage account

  1. Go to the storage account you configured Private Link for in the previous section.

  2. Under Settings, select Networking.

  3. In Networking, select Private endpoint connections.

  4. Select the pending private endpoint request from Azure Front Door Premium then select Approve.

    Screenshot of pending storage private endpoint request.

  1. Use the az network private-endpoint-connection list command to list the private endpoint connections for your storage account. Note the Resource ID of the private endpoint connection from the output.

    az network private-endpoint-connection list --name 'mystorage' --resource-group 'myResourceGroup' --type 'Microsoft.Storage/storageAccounts'

  2. Use the az network private-endpoint-connection approve command to approve the private endpoint connection.

    az network private-endpoint-connection approve --id '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorage/privateEndpointConnections/mystorage.aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

It takes a few minutes for the connection to fully establish after approval. Once established, you can access your storage account privately through Azure Front Door Premium. Public internet access to the storage account is disabled once the private endpoint is enabled.

Note

If the blob or container within the storage account doesn't permit anonymous access, requests made against the blob/container should be authorized. One option for authorizing a request is by using shared access signatures.

Common mistakes to avoid

The following are common mistakes when configuring an origin with Azure Private Link enabled:

  • Adding the origin with Azure Private Link enabled to an existing origin group that contains public origins. Azure Front Door doesn't allow mixing public and private origins in the same origin group.
  • Not using SAS tokens while connecting to storage account that doesn't allow anonymous access.

Related content