Azure Front End with Origin Storage (Azure Blobs) with Enable Private Link Service not working

ets 0 Reputation points


Below is my steps:

  1. Create Storage account.
  2. Create Azure front door link to Storage Blob as origin enable private link

User's image

  1. go to Storage Account, Networking approved Private Endpoint connections.
  2. After approved wait for few minutes, but when I tried to use front door navigate to my blobs it return

User's image

  1. My container access level

User's image

May I know am I did something wrong in between ?



Chin Yeow

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
577 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,675 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 34,766 Reputation points Microsoft Employee


    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to leverage Azure Front Door Premium storage account origin with Private Link

    Apologies for the delay, as I was deploying a Lab.

    Your configuration steps are correct. It is just that we overlooked the "Change Access level " property of the Storage Account.

    Refer : Configure anonymous public read access for containers and blobs

    • The "Private" does not mean access is restricted to only Private IPs
      • In fact, this setting does not influence the networking part at all (atleast, not at HTTP level)
    • It actually means access is only provided for "Authorized requests".
    • No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
    • Network Access is actually controlled and provided to the Storage Account as a whole.

    Now, for your case, you must either use a

    Shared Key (storage account key) or

    Shared access signature (SAS)

    We can actually test this, Just by using Storage Account.

    • Set the "Change Access level" to Private
    • Try to access the blob in the container, you should see 404 - which is expected.
    • Now, with the Access Level still as private, use a shared access signatures (SAS) and make the requests with it
    • You will see, even with "Change Access level" to Private, you will be able to access it via Internet
    • User's image

    So, this means, your request will become something like,

    • https://<StorageAccountName>***/private/index.html***?<SASToken>
    • And subsequently, your AFD request becomes,
    • https://<AFDEndPointName>***/private/index.html***?<SASToken>

    Please let us know if we can be of any further assistance here.



    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.