Integrating Workload profile Container App with Front Door and Application Gateway Private Link

introduction

For workload profile container apps, private link support is not yet available. This is because:Private Link Service does not support load balancers with IP-based backend pools used in consumption + dedicated environments (workload profiles).“. There is a roadmap to implement this feature, but (Private Link Support for Workload Profiles · Azure Container Apps Roadmap), there is currently no ETA.

In this article, we will walk through how to integrate a workload profile container app with Azure Front Door using Application Gateway. This architecture involves connecting to Front Door using Application Gateway Private Link and achieving this integration by placing Application Gateway in the same VNET as the container app.

memo: As of August 2024, private links for integrating Application Gateway and Front Door are still in public preview. Do not use in production environments. For more information, see the documentation. Securing Origin with Private Link in Azure Front Door Premium | Microsoft Learn. You can also check the documentation to see if it has reached general availability (GA), which means it is safe to use in production environments.

guideline

1. Create a container app using a workload profile in an internal VNET

This step is simple, just follow the official documentation here (Integrate virtual networks with your internal Azure Container Apps environment | Microsoft Learn) Create a new internal Azure container app environment in VNET. Some important things to note are:

(1) When using a workload profile environment, make sure there is a subnet of /27 or larger.

(2) After creation, enable Ingress to “Restrict to VNET” to allow Application Gateway traffic to reach the container app.

2. Create an Application Gateway in the same VENT as the Azure Container App.

Follow the official step-by-step documentation here.Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft…) Create an Application Gateway in the same VNET as your Azure Container App. Here are some important things to keep in mind during this process:

(1) Create a private DNS zone for the primary FQDN of the container app. This allows the application gateway to properly resolve the FQDN of the container app.

(2) Prepare a custom domain and certificate for Application Gateway. This allows Front Door to establish a private link to the custom domain of Application Gateway using HTTPS.

After completing steps 1 and 2, navigate to the custom domain you specified to verify that the connection between Application Gateway and Azure Container App is working smoothly.

3. Create an Azure Front Door and integrate it with Application Gateway via a private link.

When I wrote this blog in August 2024, the Azure Portal did not yet support integration with Application Gateway.Securing Origin with Private Link in Azure Front Door Premium | Microsoft Learn) So you may need to use Azure CLI commands to achieve this. Follow steps 3-1 to 3-7 to complete the installation.

3-1. Create an Azure Front Door profile

Important things to note:

(1) Make sure you are using a premium SKU.

(2) If you do not create a resource group first, the following error will occur: InvalidArgumentValue: Missing required field: --location

az afd profile create --profile-name  --resource-group  --sku Premium_AzureFrontDoor

3-2. Create an endpoint

az afd endpoint create --resource-group  --endpoint-name  --profile-name  --enabled-state Enabled

3-3. Create an origin group

az afd origin-group create --resource-group  --origin-group-name  --profile-name  --probe-request-type GET --probe-protocol Https --probe-interval-in-seconds 60 --probe-path / --sample-size 4 --successful-samples-required 3 --additional-latency-in-milliseconds 50

3-4. Manually add private link configuration for Application Gateway

When adding your personal link configuration, keep these three things in mind:

(1) Create a new subnet: You need to create a new subnet specifically for the private link.

(2) Select Frontend IP: Select the frontend IP connected to the listener.

(3) Save Frontend IP Configuration: Save the “Frontend IP Configuration” value as it is required for parameters. --private-link-sub-resource-type In the next step.

3-5. Creating and integrating origin through Application Gateway private link

az afd origin create --enabled-state Enabled --resource-group  --origin-group-name  --origin-name  --profile-name  --host-name  --origin-host-header  --http-port 80 --https-port 443 --priority 1 --weight 500 --enable-private-link true --private-link-location  --private-link-request-message 'AFD application gateway origin Private Link request.' --private-link-resource  --private-link-sub-resource-type 

3-6. Go back to Application Gateway and approve the Private link request.

3-7. Path creation

az afd route create --resource-group  --profile-name  --endpoint-name  --forwarding-protocol MatchRequest --route-name route --https-redirect Enabled --origin-group  --supported-protocols Http Https --link-to-default-domain Enabled

Congratulations! All the steps are complete. You can now access your Azure Front Door primary domain to check that everything is working perfectly 🙂

Additional suggestions

To ensure that Application Gateway only accepts requests from Azure Front Door (AFD), you can use a Network Security Group (NSG). Follow these steps:

(1) Create a new NSG

(2) Add a rule to allow traffic from the source (AzureFrontDoor.Backend) only on port 443.

(3) Add another rule to allow ports 65200 – 65535 from the source (GatewayManager). *This is required for Application Gateway to work.

(4) Go to the Application Gateway subnet and associate this NSG.

This will block access to Application Gateway and only allow requests from Azure Front Door.

reference