Integrating Workload profile Container App with Front Door and Application Gateway Private Link

  • Thread starter Thread starter Joe_Chen
  • Start date Start date
J

Joe_Chen

Introduction​


For the workload profile container app, private link support is not yet available. This is because the “Private Link Service does not support a load balancer that has an IP-based backend pool, which is used in Consumption + Dedicated environments (Workload Profile)”. Although we have a roadmap to implement this feature (Private link support for Workload Profiles · Azure Container Apps Roadmap), there is currently no ETA.



In the meantime, I will guide you on how to integrate a workload profile container app with Azure Front Door using an Application Gateway. The architecture involves using the Application Gateway private link to connect to the Front Door, and placing the Application Gateway in the same VNET as the container app to achieve this integration.

afd_appgw_aca.png

Note: As of August 2024, the private link for integrating Application Gateway with Front Door is still in public preview. Please avoid using it in production environments. For more details, refer to the documentation: Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn. You can also check the document to see if it has reached General Availability (GA). Once it is GA, it will be safe to use in production environments.



Instruction​


1. Create Container App with workload profile in the internal VNET

This step is straightforward. Follow the official documentation here (Integrate a virtual network with an internal Azure Container Apps environment | Microsoft Learn) to create a new internal Azure Container App environment in the VNET. Here are a few important points to note:

(1) When using the workload profiles environment, ensure you have a /27 or larger subnet

(2) After creation, enable Ingress for “Limited to VNET” to allow Application Gateway traffic to reach the container app

afd1.png



2. Create the Application gateway in the same VENT as Azure Container App

Follow the step-by-step official document here (Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft Learn) to create the Application Gateway in the same VNET as your Azure Container App. Here are a few important things to note during this process:

(1) Create a Private DNS Zone for the Container App’s default FQDN. This ensures that the Application Gateway can properly resolve the Container App’s FQDN

(2) Prepare a custom domain and certificate for the Application Gateway. This allows the Front Door to set up a private link to the Application Gateway’s custom domain using HTTPS



Once you’ve completed Steps 1 and 2, head over to your specified custom domain to check if the connection between the Application Gateway and Azure Container App is working smoothly.



3. Create Azure Front Door and integrate with Application Gateway via private link

When I wrote this blog in August 2024, the Azure portal still did not support integration with Application Gateway. (Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn) Therefore, we might need to use Azure CLI commands to achieve this. Please follow the steps 3-1 to 3-7 to finish the setup.

afd2.png



3-1. Create an Azure Front Door Profile

Important Points to Note:

(1) Ensure you are using the Premium SKU.

(2) Create the resource group first, or you will encounter the error: InvalidArgumentValue: Missing required field: --location



az afd profile create --profile-name <profile-name> --resource-group <RG-name> --sku Premium_AzureFrontDoor



3-2. Create endpoint



az afd endpoint create --resource-group <RG-name> --endpoint-name <endpoint-name> --profile-name <profile-name> --enabled-state Enabled



3-3. Create origin group



az afd origin-group create --resource-group <RG-name> --origin-group-name <origin-group-name> --profile-name <profile-name> --probe-request-type GET --probe-protocol Https --probe-interval-in-seconds 60 --probe-path / --sample-size 4 --successful-samples-required 3 --additional-latency-in-milliseconds 50



3-4. Manually Adding Private Link Configuration for Application Gateway

When adding a private link configuration, keep these three points in mind:

(1) Create a New Subnet: Ensure you create a new subnet specifically for the private link.

(2) Select Frontend IP: Choose the Frontend IP that is connected to the listener.

(3) Save Frontend IP Configuration: Save the value for “Frontend IP Configuration” as it will be needed for the parameter --private-link-sub-resource-type in the next step.

afddd.png

3-5. Create origin and integration with Application Gateway private link



az afd origin create --enabled-state Enabled --resource-group <RG-name> --origin-group-name <origin-group-name> --origin-name <origin-name> --profile-name <profile-name> --host-name <custom-domain-name-for-appgw> --origin-host-header <custom-domain-name-for-appgw> --http-port 80 --https-port 443 --priority 1 --weight 500 --enable-private-link true --private-link-location <location-for-application-gateway> --private-link-request-message 'AFD application gateway origin Private Link request.' --private-link-resource <application-gateway-resourceID> --private-link-sub-resource-type <frontend-ip-configuration-name>



3-6. Go back to Application Gateway and approve Private link request

afd4.png

3-7. Create route



az afd route create --resource-group <RG-name> --profile-name <profile-name> --endpoint-name <endpoint-name> --forwarding-protocol MatchRequest --route-name route --https-redirect Enabled --origin-group <origin-group-name> --supported-protocols Http Https --link-to-default-domain Enabled





Congratulations! All the steps are complete. Now, you can try accessing the Azure Front Door default domain to ensure everything is working perfectly :)



Additional Suggestion​


To ensure that the Application Gateway only accepts requests from Azure Front Door (AFD), you can use a Network Security Group (NSG). Follow these steps:

(1) Create a new NSG

(2) Add a rule to allow traffic only from the source (AzureFrontDoor.Backend) for port 443

(3) Add another rule to allow from source (GatewayManager) for port 65200 - 65535 *This is needed for Application Gateway to working

(4) Navigate to the Application Gateway subnet and attach this NSG

This will lock down access to the Application Gateway, allowing requests only from Azure Front Door.

afd5.png



Reference​


Continue reading...
 
Back
Top