Can Azure Front Door connect to private virtual machine backend without public IP?

I’m working with an Azure Front Door Premium setup and need to connect it to a private Windows virtual machine that runs our web application. The VM sits in its own virtual network and doesn’t have a public IP address because of our security requirements.

Right now we’re using Application Gateway with WAF in front of the VM, but we want to switch everything over to Front Door instead. The problem I’m running into is that Front Door seems to need a public endpoint for custom origins, and there’s no direct option to use a VM as the backend.

Is there any way to make Front Door work with a private VM that only has an internal IP? I’m hoping to avoid adding another load balancer or keeping the old Application Gateway setup. Has anyone found a solution for this kind of configuration?

interesting challenge! have you tried using private link service with front door premium? that might solve your issue. what’s your current vnet setup? would you be open to adjusting the architecture a bit?

hit this same issue last month. private link works well, but heads up - you’ll need a standard load balancer behind your private link service even for just one vm. kinda annoying but that’s what azure requires. setup’s straightforward, just takes a while to provision.

Yes, Azure Front Door Premium can connect to private backends using Private Link Service - that’s exactly what you need here. Create a Private Link Service in your VNet that targets your private VM, then set up Front Door to connect through this as a private endpoint origin. Your VM stays secure without a public IP, and Front Door reaches it through Azure’s backbone network. You’ll need to configure the Private Link Service with load balancer rules pointing to your VM, then add the private endpoint as an origin in Front Door. No need for Application Gateway or other public-facing components.