Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article guides you through the steps to configure an Azure Front Door Premium to connect privately to your Azure API Management origin using Azure Private Link.
Prerequisites
An Azure account with an active subscription. Create an account for free.
An Azure Front Door Premium profile and an endpoint. For more information on how to create an Azure Front Door profile, see Create a Front Door using the Azure portal.
An Azure API Management instance. For more information on how to create an API Management instance, see Create a new Azure API Management instance. For v1 tiers, the instance should be deployed in public mode and not in virtual network mode.
Note
Private endpoint support in the API Management Standard v2 tier is currently in preview.
Create an origin group and add the API Management instance as an origin
Under Settings of your Azure Front Door Premium profile, select Origin groups.
Select Add
Enter a name for the origin group.
Select + Add an origin
Use the following table to configure the origin settings:
Setting Value Name Enter a name to identify this origin. Origin Type Select API Management. Host name Select the host from the dropdown that you want as an origin. Origin host header Will be autopopulated with the host of the chosen API Management instance. HTTP port 80 (default). HTTPS port 443 (default). Priority Assign different priorities to origins for primary, secondary, and backup purposes. Weight 1000 (default). Use weights to distribute traffic among different origins. Region Select the region that matches or is closest to your origin. Target sub resource Select Gateway. Request message Enter a custom message to display while approving the Private Endpoint. 
Select Add to save your origin settings
Select Add to save the origin group settings.
Approve the private endpoint
Go to the API Management instance you configured with Private Link in the previous section.
Under Deployment + infrastructure, select Network.
Select Inbound private endpoint connections tab.
Find the pending private endpoint request from Azure Front Door Premium and select Approve.
After approval, the connection status will update. It can take a few minutes for the connection to fully establish. Once established, you can access your API Management through Front Door.
Prerequisites
An Azure account with an active subscription. Create an account for free.
An Azure Front Door Premium profile and an endpoint. For more information on how to create an Azure Front Door profile, see Create a Front Door using Azure PowerShell
An Azure API Management instance. For more information on how to create an API Management instance, see Create a new Azure API Management instance using PowerShell. For v1 tiers, the instance should be deployed in public mode and not in virtual network mode.
Azure Cloud Shell or Azure PowerShell.
The steps in this article run the Azure PowerShell cmdlets interactively in Azure Cloud Shell. To run the cmdlets in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
You can also install Azure PowerShell locally to run the cmdlets. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount cmdlet.
Note
Private endpoint support in the API Management Standard v2 tier is currently in preview.
Create an origin group and add the API Management instance as an origin
Use New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject to create an in-memory object for storing the health probe settings.
$healthProbeSetting = New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject ` -ProbeIntervalInSecond 60 ` -ProbePath "/" ` -ProbeRequestType GET ` -ProbeProtocol HttpUse New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject to create an in-memory object for storing load balancing settings.
$loadBalancingSetting = New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject ` -AdditionalLatencyInMillisecond 50 ` -SampleSize 4 ` -SuccessfulSamplesRequired 3Run New-AzFrontDoorCdnOriginGroup to create an origin group that contains your API Management instance.
$origingroup = New-AzFrontDoorCdnOriginGroup ` -OriginGroupName myOriginGroup ` -ProfileName myFrontDoorProfile ` -ResourceGroupName myResourceGroup ` -HealthProbeSetting $healthProbeSetting ` -LoadBalancingSetting $loadBalancingSettingUse the New-AzFrontDoorCdnOrigin command to add your API Management instance to the origin group.
New-AzFrontDoorCdnOrigin ` -OriginGroupName myOriginGroup ` -OriginName myAPIMOrigin ` -ProfileName myFrontDoorProfile ` -ResourceGroupName myResourceGroup ` -HostName myapim.azure-api.net ` -HttpPort 80 ` -HttpsPort 443 ` -OriginHostHeader myapim.azure-api.net ` -Priority 1 ` -PrivateLinkId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ApiManagement/service/myAPIM ` -SharedPrivateLinkResourceGroupId Gateway ` -SharedPrivateLinkResourcePrivateLinkLocation CentralUS ` -SharedPrivateLinkResourceRequestMessage 'Azure Front Door private connectivity request' ` -Weight 1000 `
Approve the private endpoint
Run Get-AzPrivateEndpointConnection to retrieve the connection name of the private endpoint connection that needs approval.
$PrivateEndpoint = Get-AzPrivateEndpointConnection -ResourceGroupName myResourceGroup -ServiceName myAPIM -PrivateLinkResourceType Microsoft.ApiManagement/serviceRun Approve-AzPrivateEndpointConnection to approve the private endpoint connection details. Use the Name value from the output in the previous step for approving the connection.
Get-AzPrivateEndpointConnection -Name $PrivateEndpoint.Name -ResourceGroupName myResourceGroup -ServiceName myAPIM -PrivateLinkResourceType Microsoft.ApiManagement/service
Complete Azure Front Door setup
Use the New-AzFrontDoorCdnRoute command to create a route that maps your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.
# Create a route to map the endpoint to the origin group
$Route = New-AzFrontDoorCdnRoute `
-EndpointName myFrontDoorEndpoint `
-Name myRoute `
-ProfileName myFrontDoorProfile `
-ResourceGroupName myResourceGroup `
-ForwardingProtocol MatchRequest `
-HttpsRedirect Enabled `
-LinkToDefaultDomain Enabled `
-OriginGroupId $origingroup.Id `
-SupportedProtocol Http,Https
Your Azure Front Door profile is now fully functional after completing the final step.
Prerequisites
An Azure account with an active subscription. Create an account for free.
An Azure Front Door Premium profile and an endpoint. For more information on how to create an Azure Front Door profile, see Create a Front Door using the Azure CLI.
An Azure API Management instance. For more information on how to create an API Management instance, see Create a new Azure API Management instance by using the Azure CLI. For v1 tiers, the instance should be deployed in public mode and not in virtual network mode.
Azure Cloud Shell or Azure CLI.
The steps in this article run the Azure CLI commands interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
You can also install Azure CLI locally to run the commands. If you run Azure CLI locally, sign in to Azure using the az login command.
Note
Private endpoint support in the API Management Standard v2 tier is currently in preview.
Create an origin group and add the API Management instance as an origin
Run az afd origin-group create to create an origin group.
az afd origin-group create \ --resource-group myResourceGroup \ --origin-group-name myOriginGroup \ --profile-name myFrontDoorProfile \ --probe-request-type GET \ --probe-protocol Http \ --probe-interval-in-seconds 60 \ --probe-path / \ --sample-size 4 \ --successful-samples-required 3 \ --additional-latency-in-milliseconds 50Run az afd origin create to add the API Management instance as an origin to the origin group.
az afd origin create \ --enabled-state Enabled \ --resource-group myResourceGroup \ --origin-group-name myOriginGroup \ --origin-name myAPIMOrigin \ --profile-name myFrontDoorProfile \ --host-name myapim.azure-api.net \ --origin-host-header myapim.azure-api.net \ --http-port 80 \ --https-port 443 \ --priority 1 \ --weight 500 \ --enable-private-link true \ --private-link-location centralus \ --private-link-request-message 'Azure Front Door private connectivity request.' \ --private-link-resource /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ApiManagement/service/myAPIM \ --private-link-sub-resource-type Gateway
Approve the private endpoint connection
Run az network private-endpoint-connection list to get the name of the private endpoint connection that needs approval.
az network private-endpoint-connection list --name myAPIM --resource-group myResourceGroup --type Microsoft.ApiManagement/serviceRun az network private-endpoint-connection approve to approve the private endpoint connection using the name from the previous step.
az network private-endpoint-connection approve --id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ApiManagement/service/myAPIM/privateEndpointConnections/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
Complete Azure Front Door setup
Run az afd route create to create a route that maps your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.
az afd route create \
--resource-group myResourceGroup \
--profile-name myFrontDoorProfile \
--endpoint-name myFrontDoorEndpoint \
--forwarding-protocol MatchRequest \
--route-name myRoute \
--https-redirect Enabled \
--origin-group myOriginGroup \
--supported-protocols Http Https \
--link-to-default-domain Enabled
Your Azure Front Door profile is now fully functional after completing the final step.