Front Door with Private Link network routing

Containers ToGo 1 Reputation point
2022-09-01T15:35:48.987+00:00

Please help me understand network routing options when using Azure Front Door with Private Link service for an internal facing webapp. If user has VPN connection, I understand connection will be made over internet to nearest FD POP. From there, tcp traffic will be split. My questions are regarding options for network routing for the 'long tcp connection' from the FD edge to Azure WebApp App Service using private link. I understand this long tcp connection to be source nat'd and traverse the azure backbone. Is there option to route this from users browser over VPN connection to private endpoint of app service or does it always traverse azure backbone from FD edge? How is this traffic configured?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
570 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 22,061 Reputation points Microsoft Employee
    2022-09-03T22:15:54.12+00:00

    Hello @Containers ToGo ,

    Welcome to the Microsoft Q&A forum.

    Based on your questions above

    My questions are regarding options for network routing for the 'long tcp connection' from the FD edge to Azure WebApp App Service using private link. I understand this long tcp connection to be source nat'd and traverse the azure backbone

    Yes, when you enable private link service it enables you to access Azure WebApp over a private endpoint in your virtual network. A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.

    Is there option to route this from users browser over VPN connection to private endpoint of app service or does it always traverse azure backbone from FD edge? How is this traffic configured?

    Based on my understanding of your set-up, if the communication is taking place in this manner User(VPN)->Internet->AFD->PrivateLink->WebApp then the traffic will always traverse over azure backbone from AFD edge to your WebApp and there is no option to configure the traffic in this manner users browser over VPN connection to private endpoint of app service. Can you please explain more about why it is desired to route traffic in this manner?

    For additional security you can also explore the option of enabling WAF on your AFD which gives you features like IP allow list and block list, Geographic based access control etc.

    Additional Reference Documentation:
    https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls
    https://learn.microsoft.com/en-us/azure/frontdoor/best-practices

    Hope this helps! Please let me know if you have any additional questions here. Thank you!

    0 comments No comments