Unable to Access Private Endpoint–Enabled App Service Through Azure Front Door

Question

Unable to Access Private Endpoint–Enabled App Service Through Azure Front Door

Prakashchandra Pandey 0

Hi Team - I am facing an issue accessing an Azure App Service that is integrated with a Private Endpoint when routing traffic through Azure Front Door (Premium).

My Setup:

Azure App Service with Private Endpoint enabled
VNet Integration enabled for the App Service
App Service is not accessible publicly (Public network access is disabled)
Azure Front Door Premium with:
- Origin group → App Service (set to Private Link)
- Approved Private Link connection in the App Service
DNS is configured using Azure Private DNS Zone (privatelink.azurewebsites.net)
Front Door endpoint is public, but origins must be accessed privately

Problem:

Even after completing the Private Link approval and configuration, Azure Front Door returns a 403 error when routing requests to the App Service origin. Direct access via the App Service’s private endpoint from within the VNet works fine.

Troubleshooting Done:

Private endpoint connection shows as Approved
DNS resolution for the App Service private endpoint works from inside the VNet
Verified that App Service firewall is not blocking traffic
Verified that Front Door Origin Host Header is set correctly
Tried enabling/disabling "Override host header"
App Service works locally through private IP, but not through Front Door

Questions:

Is additional configuration required for Azure Front Door to reach a private endpoint–enabled App Service?
Do I need any specific networking rules on the App Service or Private Endpoint NIC?
Are there known limitations using App Service + Private Endpoint + Azure Front Door Premium?
How can I correctly validate the private link connection path used by Front Door?

Any guidance or recommended troubleshooting steps would be greatly appreciated.

Below are links were used to configure AFD and app service configuration

https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-portal?tabs=quick

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app?pivots=front-door-portal

Thank you!

Prakashchandra Pandey 0 Reputation points

2026-02-18T05:40:24.0133333+00:00

@Vallepu Venkateswarlu - Yes, the private endpoint is configured correctly, and AFD endpoint is also approved. I'm not sure about other vNet, but peering is configured between Hub where AFD is deployed, and app services are deployed. Please if AFD also need to integrate with any vNet in the environment?
Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator

2026-02-18T18:42:06.4566667+00:00
Hi @Prakashchandra Pandey,

Please if AFD also need to integrate with any vNet in the environment?

No, Azure Front Door does not need to be integrated into your VNet. VNet peering is not relevant when using AFD with Private Link origins.

Azure Front Door Premium does not integrate directly into your VNet. Private Link connectivity is handled through Microsoft-managed infrastructure.

The Hub VNet and VNet peering configuration are not involved in this traffic path.

Alternatively, you can try the following option to access the web app from AFD.

If you are still facing the error, check the Diagnostic Settings logs in Azure Front Door.

If Diagnostic Settings are not enabled, please enable them and wait a few minutes for the logs to be generated. Once the logs appear, review the FrontDoorAccessLog and FrontDoorHealthProbeLog.

These logs will help you identify the reason for the 403 error.

Ref: Configure Azure Front Door logs

Please verify the steps outlined here: Connect Azure Front Door Premium to an App Service (Web App or Function App) origin with Private Link

The 403 error most probably:
Host header mismatch or App Service access restriction rule

Please confirm:

Is a custom domain used in AFD?

Is that custom domain added to App Service?

Also Please share the requested details in private message further troubleshoot.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Prakashchandra Pandey 0 Reputation points

2026-02-19T05:57:09.24+00:00
Hi - Required details are below:

Is a custom domain used in AFD? - NO

Is that custom domain added to App Service? - Yes, and its accessible via corporate network.
Lavanya Arthimalla 0 Reputation points

2026-02-23T18:51:57.71+00:00

Hi @Vallepu Venkateswarlu are you available during EST hours to troubleshoot this further?
Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator

2026-02-24T16:26:59.3133333+00:00

Hi @ Lavanya Arthimalla,

Yes, please share your details in a private message so we can troubleshoot further.

1 answer

Your answer

Prakashchandra Pandey 0 Reputation points

2026-02-18T05:40:24.0133333+00:00

@Vallepu Venkateswarlu - Yes, the private endpoint is configured correctly, and AFD endpoint is also approved. I'm not sure about other vNet, but peering is configured between Hub where AFD is deployed, and app services are deployed. Please if AFD also need to integrate with any vNet in the environment?
Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator

2026-02-18T18:42:06.4566667+00:00

Hi @Prakashchandra Pandey,

Please if AFD also need to integrate with any vNet in the environment?

No, Azure Front Door does not need to be integrated into your VNet. VNet peering is not relevant when using AFD with Private Link origins.

Azure Front Door Premium does not integrate directly into your VNet. Private Link connectivity is handled through Microsoft-managed infrastructure.

The Hub VNet and VNet peering configuration are not involved in this traffic path.

Alternatively, you can try the following option to access the web app from AFD.

If you are still facing the error, check the Diagnostic Settings logs in Azure Front Door.

If Diagnostic Settings are not enabled, please enable them and wait a few minutes for the logs to be generated. Once the logs appear, review the FrontDoorAccessLog and FrontDoorHealthProbeLog.

These logs will help you identify the reason for the 403 error.

Ref: Configure Azure Front Door logs

Please verify the steps outlined here: Connect Azure Front Door Premium to an App Service (Web App or Function App) origin with Private Link

The 403 error most probably:
Host header mismatch or App Service access restriction rule

Please confirm:

Is a custom domain used in AFD?

Is that custom domain added to App Service?

Also Please share the requested details in private message further troubleshoot.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Prakashchandra Pandey 0 Reputation points

2026-02-19T05:57:09.24+00:00

Hi - Required details are below:

Is a custom domain used in AFD? - NO

Is that custom domain added to App Service? - Yes, and its accessible via corporate network.
Lavanya Arthimalla 0 Reputation points

2026-02-23T18:51:57.71+00:00

Hi @Vallepu Venkateswarlu are you available during EST hours to troubleshoot this further?
Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator

2026-02-24T16:26:59.3133333+00:00

Hi @ Lavanya Arthimalla,

Yes, please share your details in a private message so we can troubleshoot further.

Answer 1

Hi @ Prakashchandra Pandey,

Welcome to Microsoft Q&A Platform.

It appears that you are encountering a 403 error while accessing your Azure App Service through Azure Front Door using a Private Endpoint.

Verify Azure Front Door Configuration: Ensure that the Origin Group in Azure Front Door is correctly configured to reference the App Service via Private Link and Confirm that no public origins are mixed with the Private Link origin.

Please verify whether the App Service and Azure Front Door (AFD) are deployed within the same Resource Group. If they are in different Resource Groups, consider moving them to the same Resource Group before attempting to link the App Service.

Please allow at least 30 to 45 minutes for the configuration to synchronize. Azure Front Door can take up to 45 minutes to fully propagate configuration changes globally.

Alternatively, you can configure firewall rules in the App Service by adding the service tag AzureFrontDoor (without using the Private Link option) and then test the access againIt appears that you are encountering a 403 error while accessing your Azure App Service through Azure Front Door using a Private Endpoint.

Ref: Set a service tag-based rule User's image

If you are still facing the error, check the Diagnostic Settings logs in Azure Front Door.

If Diagnostic Settings are not enabled, please enable them and wait a few minutes for the logs to be generated. Once the logs appear, review the FrontDoorAccessLog and FrontDoorHealthProbeLog.

These logs will help you identify the reason for the 403 error.

Follow the https://techcommunity.microsoft.com/t5/azure-architecture-blog/permit-access-only-from-azure-front-door-to-azure-app-service-as/ba-p/2000173 to configure app service with Azure Front door.

Note: If the information above did not help resolve the issue, kindly share your availability in a private message for further troubleshoot.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Unable to Access Private Endpoint–Enabled App Service Through Azure Front Door

My Setup:

Problem:

Troubleshooting Done:

Questions:

1 answer

Your answer