Forum Discussion
SteveDiStefano
Microsoft
MicrosoftCan Azure Front Door serve private backends
Customer has deployed a Azure Landing Zone in West US and after much success, deployed a replica in several other GEOs (Canada, EMEA, AP, India) to serve the world. So now they have 5 of them.
Ea...
- I received a email reply from the Product Group:
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-
Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link
SteveDiStefanoMicrosoft
MicrosoftI received a email reply from the Product Group:
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-
Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-
Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link