Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Azure Front Door Origin Security and Access Restriction

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Microsoft Azure Front Door (AFD) profiles are configured with Azure Private Link to securely connect to your AFD origin, eliminating exposure to the public Internet and enhancing your network's overall security posture. This significantly reduces the attack surface and helps achieve a Zero Trust security model.

Security
Operational
excellence

For optimal performance and security, Azure Front Door's features work best when all traffic is routed through it. If traffic bypasses Azure Front Door (AFD), it also bypasses its crucial security features, including the Web Application Firewall (WAF), DDoS protection, and other safeguards. To prevent this, you should configure your AFD origin to block any traffic that doesn't come through Front Door. Front Door integrates with Azure Private Link to help you restrict origin traffic effectively.

Audit

To determine if the your Azure Front Door (AFD) profile origins are configured with Azure Private Link, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

05 Click on the name (link) of the AFD profile that you want to examine.

06 In the resource navigation panel, under Security, select Origin groups.

07 For Provisioning state : All, select Succeeded, and choose OK to show only the active origin groups configured for your AFD profile.

08 Click on the name (link) of the AFD origin group that you want to examine, listed in the Name column.

09 On the selected origin group panel, under Origins, click on the host name of the origin that you want to examine, listed in the Origin host name column.

10 On the selected origin panel, check the Private link setting status to determine if Azure Private Link is configured for the selected AFD origin. If the Enable private link service setting checkbox listed next to Private link is unchecked, the selected Azure Front Door (AFD) profile origin is not configured with Azure Private Link for private network access.

11 Repeat steps no. 9 and 10 for each Azure Front Door origin configured for the selected origin group.

12 Repeat steps no. 5 – 11 for each Azure Front Door profile deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run afd profile list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Front Door (AFD) profile available within the current subscription: 

az afd profile list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AFD profile identifiers: 

Name                       ResourceGroup
-----------------------    ------------------------------
cc-project5-afd-profile    cloud-shell-storage-westeurope
cc-web-cdn-afd-profile     cloud-shell-storage-westeurope

06 Run afd origin-group list command (Windows/macOS/Linux) with the name of the Azure Front Door profile that you want to examine and its associated resource group as the identifier parameters, to list the name and the provisioning state of each origin group created for the selected AFD profile: 

az afd origin-group list
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query '[].{"name":name,"provisioningState":provisioningState}'

07 The command output should return the requested origin group information: 

Name                           ProvisioningState
----------------------------   -----------------
cc-project5-afd-origin-group   Succeeded

08 Run afd origin list command (Windows/macOS/Linux) with the name of the Azure Front Door origin group that you want to examine as the identifier parameter, to list the name and the provisioning state of each origin configured for the selected AFD origin group: 

az afd origin list
	--origin-group-name cc-project5-afd-origin-group
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query '[].{"name":name,"provisioningState":provisioningState}'

09 The command output should return the requested AFD resource information: 

Name                           ProvisioningState
----------------------------   -----------------
cc-project5-primary-origin     Succeeded
cc-project5-secondary-origin   Succeeded

10 Run afd origin show command (Windows/macOS/Linux) with the name of the Azure Front Door (AFD) origin that you want to examine as the identifier parameter, to determine whether Azure Private Link is enabled and configured for the selected AFD origin: 

az afd origin show
	--origin-name cc-project5-afd-origin
	--origin-group-name cc-project5-afd-origin-group
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--query '{"privateLinkConfig":sharedPrivateLinkResource.privateLink}'

11 The command output should return the Private Link configuration information available for the selected origin: 

{
	"privateLinkConfig": null
}

If the "privateLinkConfig" attribute is set to null, as shown in the output example listed above, the selected Azure Front Door (AFD) profile origin is not configured with Azure Private Link for private network access.

12 Repeat steps no. 10 and 11 for each Azure Front Door origin configured for the selected origin group.

13 Repeat steps no. 6 - 12 for each Azure Front Door profile available within the current Azure subscription.

14 Repeat steps no. 3 – 13 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Front Door (AFD) profile origins are configured with Azure Private Link, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

05 Click on the name (link) of the AFD profile that you want to configure.

06 In the resource navigation panel, under Security, select Origin groups.

07 For Provisioning state : All, select Succeeded, and choose OK to show only the active origin groups configured for your AFD profile.

08 Click on the name (link) of the AFD origin group that you want to access, listed in the Name column.

09 On the Update origin group panel, under Origins, click on the host name of the origin that you want to configure, listed in the Origin host name column.

10 On the Update origin panel, perform the following actions to configure Azure Private Link for the selected AFD origin:

  1. Check the Enable private link service setting checkbox listed next to Private link.
  2. For Region, select the Azure region that is the same or closest to your AFD origin.
  3. For Target sub resource, choose the type of sub-resource for the Azure cloud resource that your private endpoint will be able to access.
  4. For Request message, type the message that will be sent to the Azure resource owners to assist them in the connection management process.
  5. Choose Apply to save the configuration changes.
  6. Back to the Update origin group panel, choose Update to apply the changes. Azure Private Link connections from Azure Front Door must be approved at the Azure origin.

11 Repeat steps no. 9 and 10 for each Azure Front Door origin that you want to configure, created for the selected origin group.

12 Repeat steps no. 5 – 11 for each Azure Front Door profile deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run afd origin update command (Windows/macOS/Linux) with the name of the Azure Front Door (AFD) profile origin that you want to update and its associated resource group as the identifier parameters, to configure Azure Private Link for the selected AFD origin. As an example, the following command enables Azure Private Link for an App Service web application configured as Azure Front Door origin: 

az afd origin update
	--origin-name cc-project5-afd-origin
	--origin-group-name cc-project5-afd-origin-group
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--enable-private-link true
	--private-link-location westeurope
	--private-link-resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app"
	--private-link-sub-resource-type sites
	--private-link-request-message "AFD App Service Origin Private Link Request"

05 The command output should return the information available for the updated AFD profile origin: 

{
	"deploymentStatus": "NotStarted",
	"enabledState": "Enabled",
	"enforceCertificateNameCheck": true,
	"httpPort": 80,
	"httpsPort": 443,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/cc-project5-afd-profile/origingroups/cc-project5-afd-origin-group/origins/cc-project5-afd-origin",
	"name": "cc-project5-afd-origin",
	"originGroupName": "cc-project5-afd-origin-group",
	"priority": 1,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sharedPrivateLinkResource": {
		"groupId": "sites",
		"privateLink": {
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app",
			"resourceGroup": "cloud-shell-storage-westeurope"
		},
		"privateLinkLocation": "westeurope",
		"requestMessage": "AFD App Service Origin Private Link Request"
	},
	"type": "Microsoft.Cdn/profiles/origingroups/origins",
	"weight": 1000
}

06 Azure Private Link connections from Azure Front Door must be approved at the Azure origin. Because in our example, Azure Private Link is enabled for an App Service web application configured as AFD origin, run network private-endpoint-connection list command (Windows/macOS/Linux) to list the private endpoint connection created for your App Service web app: 

az network private-endpoint-connection list
	--id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app"
	--type Microsoft.Web/sites
	--query '[*].id'

07 The command output should return the requested private endpoint connection ID: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app/privateEndpointConnections/abcdabcd-1234-abcd-1234-abcdabcdabcd-abcdabcd-1234-abcd-1234-abcdabcdabcd"
]

08 Run network private-endpoint-connection approve command (Windows/macOS/Linux) to approve the private endpoint connection for the AFD origin: 

az network private-endpoint-connection approve
	--id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app/privateEndpointConnections/abcdabcd-1234-abcd-1234-abcdabcdabcd-abcdabcd-1234-abcd-1234-abcdabcdabcd"

09 The command output should return the requested private endpoint connection ID: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-web-app/privateEndpointConnections/abcdabcd-1234-abcd-1234-abcdabcdabcd-abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"location": "West Europe",
	"name": "abcdabcd-1234-abcd-1234-abcdabcdabcd-abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"properties": {
		"groupIds": [
			"sites"
		],
		"ipAddresses": [
			"10.2.3.10"
		],
		"privateEndpoint": {
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/eafd-Prod-westeurope/providers/Microsoft.Network/privateEndpoints/abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "eafd-Prod-westeurope"
		},
		"privateLinkServiceConnectionState": {
			"actionsRequired": "None",
			"description": "Private access",
			"status": "Approved"
		},
		"provisioningState": "Succeeded"
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Web/sites/privateEndpointConnections"
}

10 Repeat steps no. 4 - 9 for each Azure Front Door origin that you want to configure, deployed for the selected origin group.

11 Repeat steps no. 4 - 10 for each Azure Front Door profile that you want to configure, available within the current subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 4, 2025

Related FrontDoor rules