Integrating Front Door and Azure Container Apps with Private Link

Question

Hi,

I'd like to ensure that the only network traffic that reaches my Azure Container Apps environment are those that have gone through Azure Front Door. This is to ensure that Front Door's Web Application Firewall protects my ACA environment (e.g. an attacker cannot go around Front Door and send requests directly to ACA).

I've seen several ideas posted online, but the most secure idea I have seen is to use Private Link to connect Front Door to an internal ACA's load balancer. This article by a Microsoft employee Chris Bellée on Feb 1, 2023 details a way to connect Front Door to ACA via a Private Link Service resource and the Internal Load balancer that ACA automatically creates. I gave it a try and it does work.

Is connecting Front Door to an internal ACA environment's internal Load Balancer using Private Link an official guidance from Microsoft? Is this approach officially supported by Microsoft? Specifically, is the Internal Load Balancer on which this architecture depends a stable resource that will not be randomly destroyed/recreated (e.g. security patch, Infra-as-Code/ARM/Terraform update, etc...)?

I don't totally like the approach suggested on other threads where you use an NSG on the VNet of an internal ACA environment to restrict inbound traffic to the Azure Front Door service tag since that theoretically still allows an attacker to bypass my Front Door with their Front Door. Even if we add code to our apps to inspect the header to ensure traffic comes from our Front Door instance, attacker traffic can still theoretically reach our ACA instance and leave us open to denial-of-service attacks.

Thanks in advance!

PS this is a cross post of a comment I made a week ago on a GitHub thread as I have not seen an official response from Microsoft.

Answer 1

@Jason Lee

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know more about using Azure Private Link behind Azure Front Door.

I believe this is the official how to documentation : Connect Azure Front Door Premium to an internal load balancer origin with Private Link

As long as a PaaS or Computer service supports being in the backend pool of an Internal Load Balancer, this configuration should work.

I wouldn't say this is a official documentation from Microsoft for connecting Front Door to an internal ACA environment's internal Load Balancer, as it would be challenging to provide such configuration for every PaaS service that supports ILB.

However, we can guarantee Internal Load Balancer is a stable resource and Standard LB has 99.99% SLA

Also, Refer : Azure SLA

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

For clarity of those following this thread: Please look at the comments of KapilAnanth-MSFT's answer for the real answer as the initial "answer" isn't really the true answer. :)