Can Azure Front Door connect to private VMs without public IPs?

Ryan_Nebula · April 20, 2025, 10:11am

Using Azure Front Door with internal VMs: Is it possible?

We’ve got a Premium Azure Front Door set up and a Windows VM in its own VNET that’s acting as our web server. The thing is, our company rules say we can’t give the VM a public IP address.

Right now, we’re using an Application Gateway with WAF, but we want to switch completely to Azure Front Door. I’m having trouble setting up the origin group though.

Here’s the problem:

Azure Front Door doesn’t have a built-in option for VMs as origins
Custom origins need public IPs, which we can’t use

I’m wondering if there’s a way to make Azure Front Door send traffic to our private VM without having to use a Load Balancer or App Gateway in the VNET.

Has anyone found a way around this? What’s the best way to handle this setup? I’ve looked through Microsoft’s docs but couldn’t find anything helpful. Any advice would be great!

ClimbingMonkey · April 28, 2025, 12:24pm

hey there! have u thought about using azure private link service? it’s pretty cool for connecting front door to private stuff. maybe u could set up a private link service for ur VM and use that as the origin? just an idea - curious to hear if anyone’s tried this approach? what other options have u explored so far?

Jasper_Witty · April 24, 2025, 7:32pm

Azure Front Door can indeed connect to private VMs without public IPs, but it requires some additional configuration.

One effective approach is to use Azure Private Link in conjunction with Front Door Premium. This method allows Front Door to securely access your VM through a private endpoint within your VNET. You would create a Private Link service for your VM and then establish a private endpoint that Front Door can connect to, thus maintaining the security and privacy of your VM.

Alternatively, you may consider employing an Azure Internal Load Balancer to route traffic to your private VM. This involves setting up the ILB in your VNET, configuring your VM as its backend, and using the ILB’s private IP as the origin in Front Door. Each method requires additional Azure resources and configuration, but both provide secure, private connectivity without exposing the VM publicly.

JumpingBear · April 24, 2025, 6:33pm

have u tried using azure private link? it lets front door connect to private endpoints in ur vnet without public ips. might need to set up a private endpoint for ur vm and configure front door to use that. could be worth looking into if u haven’t already