Guest Joe_Chen Posted August 14 Posted August 14 [HEADING=2]Introduction[/HEADING] For the workload profile container app, private link support is not yet available. This is because the “Private Link Service does not support a load balancer that has an IP-based backend pool, which is used in Consumption + Dedicated environments (Workload Profile)”. Although we have a roadmap to implement this feature (Private link support for Workload Profiles · Azure Container Apps Roadmap), there is currently no ETA. In the meantime, I will guide you on how to integrate a workload profile container app with Azure Front Door using an Application Gateway. The architecture involves using the Application Gateway private link to connect to the Front Door, and placing the Application Gateway in the same VNET as the container app to achieve this integration. [ATTACH type=full" alt="afd_appgw_aca.png]62737[/ATTACH] Note: As of August 2024, the private link for integrating Application Gateway with Front Door is still in public preview. Please avoid using it in production environments. For more details, refer to the documentation: Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn. You can also check the document to see if it has reached General Availability (GA). Once it is GA, it will be safe to use in production environments. [HEADING=2]Instruction[/HEADING] 1. Create Container App with workload profile in the internal VNET This step is straightforward. Follow the official documentation here (Integrate a virtual network with an internal Azure Container Apps environment | Microsoft Learn) to create a new internal Azure Container App environment in the VNET. Here are a few important points to note: (1) When using the workload profiles environment, ensure you have a /27 or larger subnet (2) After creation, enable Ingress for “Limited to VNET” to allow Application Gateway traffic to reach the container app [ATTACH type=full" alt="afd1.png]62738[/ATTACH] 2. Create the Application gateway in the same VENT as Azure Container App Follow the step-by-step official document here (Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft Learn) to create the Application Gateway in the same VNET as your Azure Container App. Here are a few important things to note during this process: (1) Create a Private DNS Zone for the Container App’s default FQDN. This ensures that the Application Gateway can properly resolve the Container App’s FQDN (2) Prepare a custom domain and certificate for the Application Gateway. This allows the Front Door to set up a private link to the Application Gateway’s custom domain using HTTPS Once you’ve completed Steps 1 and 2, head over to your specified custom domain to check if the connection between the Application Gateway and Azure Container App is working smoothly. 3. Create Azure Front Door and integrate with Application Gateway via private link When I wrote this blog in August 2024, the Azure portal still did not support integration with Application Gateway. (Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn) Therefore, we might need to use Azure CLI commands to achieve this. Please follow the steps 3-1 to 3-7 to finish the setup. [ATTACH type=full" alt="afd2.png]62739[/ATTACH] 3-1. Create an Azure Front Door Profile Important Points to Note: (1) Ensure you are using the Premium SKU. (2) Create the resource group first, or you will encounter the error: [iCODE]InvalidArgumentValue: Missing required field: --location[/iCODE] [iCODE]az afd profile create --profile-name <profile-name> --resource-group <RG-name> --sku Premium_AzureFrontDoor[/iCODE] 3-2. Create endpoint [iCODE]az afd endpoint create --resource-group <RG-name> --endpoint-name <endpoint-name> --profile-name <profile-name> --enabled-state Enabled[/iCODE] 3-3. Create origin group [iCODE]az afd origin-group create --resource-group <RG-name> --origin-group-name <origin-group-name> --profile-name <profile-name> --probe-request-type GET --probe-protocol Https --probe-interval-in-seconds 60 --probe-path / --sample-size 4 --successful-samples-required 3 --additional-latency-in-milliseconds 50[/iCODE] 3-4. Manually Adding Private Link Configuration for Application Gateway When adding a private link configuration, keep these three points in mind: (1) Create a New Subnet: Ensure you create a new subnet specifically for the private link. (2) Select Frontend IP: Choose the Frontend IP that is connected to the listener. (3) Save Frontend IP Configuration: Save the value for “Frontend IP Configuration” as it will be needed for the parameter [iCODE]--private-link-sub-resource-type[/iCODE] in the next step. [ATTACH type=full" alt="afddd.png]62740[/ATTACH] 3-5. Create origin and integration with Application Gateway private link [iCODE]az afd origin create --enabled-state Enabled --resource-group <RG-name> --origin-group-name <origin-group-name> --origin-name <origin-name> --profile-name <profile-name> --host-name <custom-domain-name-for-appgw> --origin-host-header <custom-domain-name-for-appgw> --http-port 80 --https-port 443 --priority 1 --weight 500 --enable-private-link true --private-link-location <location-for-application-gateway> --private-link-request-message 'AFD application gateway origin Private Link request.' --private-link-resource <application-gateway-resourceID> --private-link-sub-resource-type <frontend-ip-configuration-name>[/iCODE] 3-6. Go back to Application Gateway and approve Private link request [ATTACH type=full" alt="afd4.png]62741[/ATTACH] 3-7. Create route [iCODE]az afd route create --resource-group <RG-name> --profile-name <profile-name> --endpoint-name <endpoint-name> --forwarding-protocol MatchRequest --route-name route --https-redirect Enabled --origin-group <origin-group-name> --supported-protocols Http Https --link-to-default-domain Enabled[/iCODE] Congratulations! All the steps are complete. Now, you can try accessing the Azure Front Door default domain to ensure everything is working perfectly :) [HEADING=2]Additional Suggestion[/HEADING] To ensure that the Application Gateway only accepts requests from Azure Front Door (AFD), you can use a Network Security Group (NSG). Follow these steps: (1) Create a new NSG (2) Add a rule to allow traffic only from the source (AzureFrontDoor.Backend) for port 443 (3) Add another rule to allow from source (GatewayManager) for port 65200 - 65535 *This is needed for Application Gateway to working (4) Navigate to the Application Gateway subnet and attach this NSG This will lock down access to the Application Gateway, allowing requests only from Azure Front Door. [ATTACH type=full" alt="afd5.png]62742[/ATTACH] [HEADING=2]Reference[/HEADING] Integrate a virtual network with an internal Azure Container Apps environment | Microsoft Learn Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF) | Microsoft Learn Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.