Connect Azure Front Door Premium to a storage account origin with Private Link

This article guides you through how to configure Azure Front Door Premium tier to connect to your storage account origin privately using the Azure Private Link service.

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

In this section, you map the Private Link service to a private endpoint created in Azure Front Door's private network.

  1. Within your Azure Front Door Premium profile, under Settings, select Origin groups.

  2. Select the origin group that contains the storage account origin you want to enable Private Link for.

  3. Select + Add an origin to add a new storage account origin or select a previously created storage account origin from the list.

    Screenshot of enabling private link to a storage account.

  4. The following table has information of what values to select in the respective fields while enabling private link with Azure Front Door. Select or enter the following settings to configure the storage blob you want Azure Front Door Premium to connect with privately.

    Setting Value
    Name Enter a name to identify this storage blog origin.
    Origin Type Storage (Azure Blobs)
    Host name Select the host from the dropdown that you want as an origin.
    Origin host header You can customize the host header of the origin or leave it as default.
    HTTP port 80 (default)
    HTTPS port 443 (default)
    Priority Different origin can have different priorities to provide primary, secondary, and backup origins.
    Weight 1000 (default). Assign weights to your different origin when you want to distribute traffic.
    Region Select the region that is the same or closest to your origin.
    Target sub resource The type of subresource for the resource selected previously that your private endpoint can access. You can select blob or web.
    Request message Custom message to see while approving the Private Endpoint.
  5. Then select Add to save your configuration. Then select Update to save the origin group settings.

Note

Ensure the origin path in your routing rule is configured correctly with the storage container file path so file requests can be acquired.

Approve private endpoint connection from the storage account

  1. Go to the storage account you configure Private Link for in the last section. Select Networking under Settings.

  2. In Networking, select Private endpoint connections.

    Screenshot of networking settings in a Web App.

  3. Select the pending private endpoint request from Azure Front Door Premium then select Approve.

    Screenshot of pending storage private endpoint request.

  4. Once approved, it should look like the following screenshot. It takes a few minutes for the connection to fully establish. You can now access your storage account from Azure Front Door Premium.

    Screenshot of approved storage endpoint request.

Note

If the blob or container within the storage account doesn't permit anonymous access, requests made against the blob/container should be authorized. One option for authorizing a request is by using shared access signatures.

Next steps

Learn about Private Link service with storage account.