I create a front door origin using a bicep, and it creates a private link to my app service. Then I go to the application, and approve this private link in the UI. This works as expected.
If I remove the private link (in the app service UI), and run my creation bicep again it will not add the private link back.
How can I ensure the bicep adds the private link, even if it's has existed and was removed?
This is my bicep:
resource appService 'Microsoft.Web/sites@2022-09-01' existing = {
name: applicationName
scope: resourceGroup(resourceGroup)
}
resource fdOrigin 'Microsoft.Cdn/profiles/originGroups/origins@2021-06-01' = {
name: 'fd-origin'
parent: fdOriginGroup
properties: {
hostName: '${applicationName}.azurewebsites.net'
httpPort: 80
httpsPort: 443
originHostHeader: '${applicationName}.azurewebsites.net'
priority: 1
weight: 1000
sharedPrivateLinkResource: {
groupId: 'sites'
privateLinkLocation: 'EastUS2'
requestMessage: 'Created by Deployment Pipeline'
status: 'Approved'
privateLink: {
id: appService.id
}
}
}
}
Therefore, Azure will check its databases to see if a private endpoint has been created for a given tuple
(resourceId, tenant, region, groupId)for a given resource, in this case an app service. Azure generates a new private endpoint if the tuple changes, otherwise it does not.As a result, Azure won't create a new private endpoint if you delete and recreate your app service, nor will it create a new private endpoint if you create a new origin with the same app service. Moreover, you won't see new connections to approve if this private endpoint's lifetime is now scoped to origin rather than the backend resource.
To resolve this issue to get a new private endpoint connection make sure you remove all origins and origin groups under your tenant with the same
PrivateLinkResourceId, GroupId, PrivateLinkLocationin order to receive a new private endpoint connection when you create an origin withPrivateLinkResourceId, GroupId, PrivateLinkLocation. Azure will internally delete the private endpoint after deleting all origins and origin groups.I create a front door origin and it creates a private link to my app service. Then I go to the application and approve this private link in the UI like below:
Now create a dummy origin group and add any origin to associate routes like below:
Updates an existing route with the specified route name:
Now delete the origin group(s) which has the same set of Private Link location, resource ID and group ID. Where the app service was added before.
In my case which I created orgin2-> unassociated and deleted like below:
To delete an AzureFrontDoor origin group under the profile
You need to delete the origin group where the app service was added before. And also delete any other origin groups containing an origin with the same set of Private Link location, resource ID and group ID. Once the origin groups are deleted, you can recreate the origin group with the newly created app service, and you will see new private endpoint connections to approve.
To create new origin group, make use of below code:
Now my private link appears successfully like below:
So generally, to get a private link you need to create a dummy origin group delete the origin group where the app service was added before, as well as any other origin groups with similar Private Link location, resource ID, and group ID. To delete an origin group, it must be unassociated from route.
Edit the Azure Front Door route to disassociate the origin group you want to delete. You can associate another existing origin group or create a new dummy origin group and add it to the route. once unassociated delete the origin group of app service. Now you can recreate the origin group with the newly created app service and enable private link. You will see new private endpoint connections that need approval within your app service.
Using CLI:
To edit a route : az afd route update
To create a dummy origin group : az afd origin-group create
To delete origin group: az afd origin-group delete