added more content to PL page

Author: Harikrishnan-M-B

articles/frontdoor/image.png

@@ -23,25 +23,29 @@ Azure Front Door Premium can connect to your origin using Private Link. Your ori
 
 When you enable Private Link to your origin in Azure Front Door Premium, Front Door creates a private endpoint on your behalf from an Azure Front Door managed regional private network. You receive an Azure Front Door private endpoint request at the origin pending your approval.
 
-> [!IMPORTANT]
-> You must approve the private endpoint connection before traffic can pass to the origin privately. You can approve private endpoint connections by using the Azure portal, Azure CLI, or Azure PowerShell. For more information, see [Manage a Private Endpoint connection](../private-link/manage-private-endpoint.md).
-> Azure Front Door doesn't allow mixing public and private origins in the same origin group.
+You must approve the private endpoint connection before traffic can pass to the origin privately. You can approve private endpoint connections by using the Azure portal, Azure CLI, or Azure PowerShell. For more information, see [Manage a Private Endpoint connection](../private-link/manage-private-endpoint.md).
 
 After you enable an origin for Private Link and approve the private endpoint connection, it can take a few minutes for the connection to be established. During this time, requests to the origin receives an Azure Front Door error message. The error message goes away once the connection is established.
 
-Once your request is approved, a private IP address gets assigned from the Azure Front Door managed virtual network. Traffic between your Azure Front Door and your origin communicates using the established private link over the Microsoft backbone network. Incoming traffic to your origin is now secured when arriving at your Azure Front Door.
+Once your request is approved, a private endpoint gets assigned from the Azure Front Door managed virtual network. Traffic between your Azure Front Door and your origin communicates using the established private link over the Microsoft backbone network. Incoming traffic to your origin is now secured when arriving at your Azure Front Door.
+
+> [!NOTE]
+> * This feature only supports private link connectivity from your AFD to your origin. Client to AFD private connectivity is not supported.
 
 ## Supported origins
 
-Origin support for direct private endpoint connectivity is currently limited to:
-* Blob Storage
-* App Service (Web App, Function App)
-* Internal load balancers, or any services that expose internal load balancers such as Azure Kubernetes Service, Azure Container Apps or Azure Red Hat OpenShift
-* Storage Static Website
-* API Management
-* Application Gateway
-* Azure Container Apps
-  
+Origin support for direct private endpoint connectivity is currently limited to the below origin types.
+
+| Origin type | Documentation |
+|--|--|
+| App Service (Web App, Function App) | [Connect AFD to a Web App / Function App origin with Private Link](standard-premium/how-to-enable-private-link-web-app.md). | 
+| Blob Storage | [Connect AFD to a storage account origin with Private Link](standard-premium/how-to-enable-private-link-storage-account.md). |
+| Storage Static Website | [Connect AFD to a storage static website origin with Private Link](how-to-enable-private-link-storage-static-website.md). |
+| Internal load balancers, or any services that expose internal load balancers such as Azure Kubernetes Service, or Azure Red Hat OpenShift | [Connect AFD to an internal load balancer origin with Private Link](standard-premium/how-to-enable-private-link-internal-load-balancer.md). |
+| API Management | [Connect AFD  to an API Management origin with Private Link](standard-premium/how-to-enable-private-link-apim.md). |
+| Application Gateway | [Connect AFD to an application gateway origin with Private Link](how-to-enable-private-link-application-gateway.md). |
+| Azure Container Apps | [Connect AFD to an Azure Container Apps origin with Private Link](../container-apps/how-to-integrate-with-azure-front-door.md). |
+
 > [!NOTE]
 > * This feature isn't supported with Azure App Service Slots and Azure Static Web App. 
 
@@ -65,6 +69,14 @@ Azure Front Door private link is available in the following regions:
 
 The Azure Front Door Private Link feature is region agnostic but for the best latency, you should always pick an Azure region closest to your origin when choosing to enable Azure Front Door Private Link endpoint. If your origin's region is not supported in the list of regions AFD Private Link supports, pick the next nearest region. You can use [Azure network round-trip latency statistics](../networking/azure-network-latency.md) to determine the next nearest region in terms of latency.
 
+## Tips while using AFD Private Link integration
+* Azure Front Door doesn't allow mixing public and private origins in the same origin group. Doing so can cause errors during configuration or while AFD tries to send traffic to the public/private origins. Keep all your public origins in a single origin group and keep all your private origins in a different origin group.
+* Improving redundancy:
+    * To improve redundancy at origin level, make sure you have multiple private link enabled origins within the same origin group so that AFD can distribute traffic across multiple instances of the application. If one instance is unavailable, then other origins can still receive traffic.
+    * To route Private Link traffic, requests are routed from AFD POPs to the AFD managed virtual network hosted in AFD regional clusters. To have redundancy in case the regional cluster is not reachanle, it is recommended to configure multiple origins (each with a different Private Link region) under the same AFD origin group. This way even if If one regional cluster is unavailable, then other origins can still receive traffic via a different regional cluster. Below is how an origin group with both origin level and region level redundancy would look like.
+        :::image type="content" source="./media/private-link/redundant-origin-group.png" alt-text="Diagram showing an origin group with both origin level and region level redundancy.":::
+* While approving the private endpoint connection or after approving the the private endpoint connection, if you double click on the private endpoint, you will see an error message saying "You don't have access. Copy the error details and send them to your administrator(s) to get access to this page." This is expected as the private endpoint is hosted within a subscription managed by Azure Front Door.
+
 ## Association of a private endpoint with an Azure Front Door profile
 
 ### Private endpoint creation
@@ -81,20 +93,14 @@ For example, a single private endpoint gets created for all the different origin
 
 A new private endpoint gets created in the following scenario:
 
-* If the region, resource ID or group ID changes:
+* If the region, resource ID or group ID changes, AFD considers that the Private Link location and the hostname has changed, resulting in extra private endpoints created and each one needs to be approved.
 
     :::image type="content" source="./media/private-link/multiple-endpoints.png" alt-text="Diagram showing a multiple private endpoint created because changes in the region and resource ID for the origin.":::
 
-    > [!NOTE]
-    > The Private Link location and the hostname has changed, resulting in extra private endpoints created and requires approval for each one.
-
-* When the Azure Front Door profile changes:
+* Enabling Private Link for origins in different Front Door profiles will create extra private endpoints and requires approval for each one. 
 
     :::image type="content" source="./media/private-link/multiple-profiles.png" alt-text="Diagram showing a multiple private endpoint created because the origin is associated with multiple Azure Front Door profiles.":::
 
-    > [!NOTE]
-    > Enabling Private Link for origins in different Front Door profiles will create extra private endpoints and requires approval for each one.
-
 ### Private endpoint removal
 
 When an Azure Front Door profile gets deleted, private endpoints associated with the profile also get deleted.