Connect Azure Front Door Premium to a Storage Account origin with Private Link with Azure CLI
This article will guide you through how to configure Azure Front Door Premium tier to connect to your Storage Account privately using the Azure Private Link service with Azure CLI.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- An Azure account with an active subscription. Create an account for free.
- Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see Create a Front Door - CLI.
- Have a functioning Storage Account that is also private. Refer this doc to learn how to do the same.
Note
Private endpoints requires your Storage Account to meet certain requirements. For more information, see Using Private Endpoints for Azure Storage.
Enable Private Link to a Storage Account in Azure Front Door Premium
Run az afd origin create to create a new Azure Front Door origin. Enter the following settings to configure the Storage Account you want Azure Front Door Premium to connect with privately. Notice the private-link-location must be in one of the available regions and the private-link-sub-resource-type must be blob.
az afd origin create --enabled-state Enabled \
--resource-group myRGFD \
--origin-group-name og1 \
--origin-name mystorageorigin \
--profile-name contosoAFD \
--host-name mystorage.blob.core.windows.net \
--origin-host-header mystorage.blob.core.windows.net \
--http-port 80 \
--https-port 443 \
--priority 1 \
--weight 500 \
--enable-private-link true \
--private-link-location EastUS \
--private-link-request-message 'AFD storage origin Private Link request.' \
--private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage \
--private-link-sub-resource-type blob
Approve Azure Front Door Premium private endpoint connection from Azure Storage
Run az network private-endpoint-connection list to list the private endpoint connections for your storage account. Make note of the
Resource IDof the private endpoint connection available in the first line of the output.az network private-endpoint-connection list --name mystorage --resource-group myRGFD --type Microsoft.Storage/storageAccountsRun az network private-endpoint-connection approve to approve the private endpoint connection
az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage/privateEndpointConnections/mystorage.00000000-0000-0000-0000-000000000000Once approved, it will take a few minutes for the connection to fully establish. You can now access your storage account from Azure Front Door Premium. Direct access to the storage account from the public internet gets disabled after private endpoint gets enabled.
Note
If the blob or container within the storage account doesn't permit anonymous access, requests made against the blob/container should be authorized. One option for authorizing a request is by using shared access signatures.
Next steps
Learn about Private Link service with storage account.