Forum Discussion
Front door with private link service
Has anyone successfully used frontdoor with private link service?
I have a typical setup that a VM with only private interface running IIS. In the same subnet as the VM, I created an internal load balancer. In the Front Door (Premium), I created the site and the origin has the private link service enabled, and approved. However, I can't reach to the site through frontdoor no matter what, though I can hit the load balancer directly and show the page without issue. One question I have is, in the frontdoor origin --> Host Name, what do you use there? Is that the private IP of the load balancer or the frontdoor url or the custom url for the site? Can't seem to find a clear document that has some details on.
1 Reply
Refer this on Front Door with Private Link to ILB:
- Origin Host Name
• Use the private IP address of the internal load balancer or a custom domain name that resolves to it within your VNet.
• This value is used for SNI (Server Name Indication) during TLS negotiation and must match the Common Name (CN) or Subject Alternative Name (SAN) in your server certificate.
• If your IIS server uses a self-signed certificate or one issued for a custom domain (e.g., internal.contoso.local), then use that domain as the Host Name. - Origin Host Header
• This is the HTTP Host header sent by Front Door to your origin.
• It should typically match the Host Name unless your backend expects a specific header (e.g., internal.contoso.local).
• If your IIS site is bound to a specific hostname, make sure this matches. - Private Link Setup Checklist
1. Private Link Service must be created and associated with the ILB.
2. Azure Front Door Premium must be configured to use Private Link and the connection must be approved.
3. Ensure NSGs and UDRs allow traffic from the Azure Front Door managed virtual network to your ILB.
4. Port 443 or 80 must be open on the ILB and VM.
5. Health Probes from Front Door must be allowed through the ILB to the VM.
- Origin Host Name
