Is it possible to put Azure App Configuration behind Azure Front Door?

[a60915]

Does Azure App Configuration support being exposed by an Azure Front Door? We have a security requirement where we must use private networking and a Front Door if we would like to publicly expose a resource.

We have an external resource that we would like to get its configuration from the App Configuration. We have dedicated IPs that would be white-listed in the Front Door.

I did not see a way to restrict access when using public networking.

[zhenlan]

@a60915 you can find a past discussion on the same topic: https://github.com/Azure/AppConfiguration/issues/567.

I'm sure you know you can enable the private endpoint on your App Configuration store so you can access it from within your vNet.

For public access, we currently do not support client IP restrictions. However, we are working on a Networking Security Perimeter feature that will include client IP restriction and many other security capabilities.

[a60915]

@zhenlan Thank you for your response. I had seen topic #567 and read through it. I'm not sure how he setup Frontdoor, but I'm assuming he was keeping the App Config public and was doing this more for availability.

Yes, we are aware of, and using, private endpoints. With public access disabled and private endpoints enabled, I have not found a way to expose the App Configuration using a Front door. There isn't an option for App Configuration when adding an Origin for the Front door. Is there something I am missing or is this not supported?

[zhenlan]

Right, we don’t officially support Azure Front Door yet. However, we are working on a feature that will enable you to add App Configuration as an Origin for the Front Door CDN. If everything goes as planned, a preview will be released in the next couple of months.