Overall architecture image should be fixed

[vermegi]

Exposing ACA through PL and AFD is not a supported scenario yet. However this is the setup shown in the overall architecture image. Also, all Bicep and TF templates use Application Gateway with WAF as reverse proxy.

So basically, the overall architecture image should be fixed.

[thotheod]

Hi @vermegi, You are right there is no native support (as there is for app service), but in our case we expose ACA with private IP (internal - with private Load Balancer) so we can use Private Link Service and AFD Premium, as described in the references below:

• https://learn.microsoft.com/en-us/azure/frontdoor/private-link#limitations
• https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview
• https://techcommunity.microsoft.com/t5/fasttrack-for-azure/integrating-azure-front-door-waf-with-azure-container-apps/ba-p/3729081

The "happy path" in the LZA deployment favours the appGW implementation, since this is suggested for single region deployments. However, sample implementation with AFD (instead of ApGW), is also presented here Bicep AFD Implementation