Connect Azure Front Door Premium to an AKS App origin with Private Link
Introduction
This article will guide you through how to configure Azure Front Door Premium tier to connect to your private AKS app origin using the Azure Private Link service.
Prerequisites
- An Azure account with an active subscription. Create an account for free.
- An Azure Premium Frond Door. Private Link support is only available with the Premium Azure Frond Door tier as explained in the following documentation: Tier comparison.
- An Azure Kubernetes Service cluster in a Virtual Network.
- An Azure subnet to where the Private Link will be deployed. This subnet must exist in the same VNET of your AKS cluster.
Create a Private Link service for your AKS app
Warning: we will use the AKS Private Link Service integration. which is currently in preview.
- Deploy the following yaml via Kubectl in order to publish on your AKS:
- A multi-container application (source code inspired from the following tutoriel).
- An Azure Private Link, the reference documentation of those annotations are available here: Kubernetes — Azure Private Link Service Integration.
- A Kubernetes Network Policy to authorize inbound flow from the front to the backend app.
2. Go to the Private Link Center and select Private link services. Then select the Private link that has been created by AKS and keep it’s name, will need it in the next chapter.
Enable Private Link to the AKS internal load balancer
In this section, you’ll map the Private Link service to a private endpoint created in Azure Front Door’s private network.
- Within your Azure Front Door Premium profile, under Settings, select Origin groups.
- Select the origin group you want to enable Private Link for the internal load balancer.
- Select + Add an origin to add an internal load balancer origin. Note that the hostname must be a valid domain name, IPv4 or IPv6. There are two ways to select an Azure resource. The first option is by “In my directory” to select your own resources. The second option is “By ID or alias” to connect to someone else’s resource with a resource ID or alias that is shared with you. Select the the name of your Private Link using the option “In my directory”, the one you kept in the previous chapter.
Then select Add and then Update to save the origin group settings.
Approve Azure Front Door Premium private endpoint connection from Private link service
- Go to the Private Link Center and select Private link services. Then select your Private link name.
- Select Private endpoint connections under Settings.
- Select the pending private endpoint request from Azure Front Door Premium then select Approve. Select Yes to confirm you want to create this connection.
- Once approved, it should look like the screenshot below. It will take a few minutes for the connection to fully establish.
Create Azure Front Door endpoint
The final step consists in linking your Front Door Origin to a Front Door endpoint and route.
In the following screenshot we forward all traffic to HTTP because our pod is only listening privately on HTTP and we redirect all traffic to use HTTPS to make sure that public access is done through HTTPS only.
Et voilà … Your AKS app has been published via Azure Front Door!
Conclusion
This is a fantastic opportunity to leverage a new type of Ingress Controller for AKS. Azure Front Door will bring native features like CDN, WAF and managed certificate that ease security, design and management of our Cloud solution.
See You in the Cloud
Jamesdld
