Hello @Containers ToGo ,
Welcome to the Microsoft Q&A forum.
Based on your questions above
My questions are regarding options for network routing for the 'long tcp connection' from the FD edge to Azure WebApp App Service using private link. I understand this long tcp connection to be source nat'd and traverse the azure backbone
Yes, when you enable private link service it enables you to access Azure WebApp over a private endpoint in your virtual network. A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.
Is there option to route this from users browser over VPN connection to private endpoint of app service or does it always traverse azure backbone from FD edge? How is this traffic configured?
Based on my understanding of your set-up, if the communication is taking place in this manner User(VPN)->Internet->AFD->PrivateLink->WebApp
then the traffic will always traverse over azure backbone from AFD edge to your WebApp and there is no option to configure the traffic in this manner users browser over VPN connection to private endpoint of app service
. Can you please explain more about why it is desired to route traffic in this manner?
For additional security you can also explore the option of enabling WAF on your AFD which gives you features like IP allow list and block list
, Geographic based access control
etc.
Additional Reference Documentation:
https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls
https://learn.microsoft.com/en-us/azure/frontdoor/best-practices
Hope this helps! Please let me know if you have any additional questions here. Thank you!