MicrosoftDocs
diff --git a/‎articles/container-apps/how-to-integrate-with-azure-front-door.md
Lines changed: 156 additions & 11 deletions b/‎articles/container-apps/how-to-integrate-with-azure-front-door.md
Lines changed: 156 additions & 11 deletions
@@ -6,20 +6,154 @@ author: craigshoemaker
 ms.service: azure-container-apps
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, ignite-2024
 ms.topic:  how-to
-ms.date: 02/03/2025
+ms.date: 03/31/2025
 ms.author: cshoe
+zone_pivot_groups: azure-cli-or-portal
 ---
 
 # Create a private link to an Azure Container App with Azure Front Door (preview)
 
 In this article, you learn how to connect directly from Azure Front Door to your Azure Container Apps using a private link instead of the public internet. In this tutorial, you create an Azure Container Apps workload profiles environment, an Azure Front Door, and connect them securely through a private link. You then verify the connectivity between your container app and the Azure Front Door.
 
+::: zone pivot="azure-portal"
+
+## Prerequisites
+
+- Azure account with an active subscription.
+  - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/).
+
+- This feature is only supported for workload profile environments.
+
+- Make sure the `Microsoft.Cdn` resource provider is registered for your subscription.
+    1. Begin by signing in to the [Azure portal](https://portal.azure.com).
+    1. Browse to your subscription page and select **Settings** > **Resource providers**. 
+    1. Select **Microsoft.Cdn** from the provider list.
+    1. Select **Register**.
+
+## Create a container app
+
+Create a resource group to organize the services related to your container app deployment.
+
+1. Search for **Container Apps** in the top search bar.
+1. Select **Container Apps** in the search results.
+1. Select the **Create** button.
+
+1. In the *Create Container App* page, in the *Basics* tab, do the following actions.
+
+    | Setting | Action |
+    |---|---|
+    | Subscription | Select your Azure subscription. |
+    | Resource group | Select the **Create new resource group** link and enter **my-container-apps**. |
+    | Container app name |  Enter **my-container-app**. |
+    | Deployment source | Select **Container image**. |
+    | Region | Select **Central US**. |
+
+1. In the *Create Container Apps Environment* field, select the **Create new environment** link.
+
+1. In the *Create Container Apps Environment* page, in the *Basics* tab, enter the following values:
+
+    | Setting | Value |
+    |--|--|
+    | Environment name | Enter **my-environment**. |
+    | Zone redundancy | Select **Disabled** |
+
+1. Select the **Networking** tab.
+
+1. Set *Public Network Access* to **Disable: Block all incoming traffic from the public internet.**
+
+1. Leave **Use your own virtual network** set to **No**.
+
+1. Leave **Enable private endpoints** set to **No**.
+
+1. Select **Create**.
+
+1. In the *Create Container App* page, select the **Container** tab.
+
+1. Select **Use quickstart image**.
+
+<!-- Deploy the container app -->
+[!INCLUDE [container-apps-create-portal-deploy.md](../../includes/container-apps-create-portal-deploy.md)]
+
+3. When you browse to the container app endpoint, you see the following message:
+
+    ```
+    The public network access on this managed environment is disabled. To connect to this managed environment, please use the Private Endpoint from inside your virtual network. To learn more https://aka.ms/PrivateEndpointTroubleshooting.
+    ```
+
+    Instead, you use an Azure Front Door endpoint to access your container app.
+
+## Create an Azure Front Door profile and endpoint
+
+1. Search for **Front Door** in the top search bar.
+1. Select **Front Door and CDN profiles** in the search results.
+1. Select **Azure Front Door** and **Quick Create**.
+1. Select the **Continue to create a Front Door** button.
+
+1. In the *Create a Front Door profile* page, in the *Basics* tab, do the following actions.
+
+    | Setting | Actions |
+    |--|--|
+    | Resource group | Select **my-container-apps**. |
+    | Name | Enter **my-afd-profile**. |
+    | Tier | Select **Premium**. Private link isn't supported for origins for Azure Front Door on the Standard tier. |
+    | Endpoint name | Enter **my-afd-endpoint**. |
+    | Origin type | Select **Container Apps**. |
+    | Origin host name | Enter the hostname of your container app. Your hostname looks like the following example: `my-container-app.orangeplant-77e5875b.centralus.azurecontainerapps.io`. |
+    | Enable private link service | Enable this setting. |
+    | Region | Select **(US) Central US**. |
+    | Target sub resource | Select **managedEnvironments**. |
+    | Request message | Enter **AFD Private Link Request**. |
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+
+1. After the deployment completes, select **Go to resource**.
+
+1. In the *Front Door and CDN profile* overview page, find your *Endpoint hostname*. It looks like the following example. Make a note of this hostname.
+
+    ```
+    my-afd-endpoint.<HASH>.b01.azurefd.net
+    ```
+
+## Approve the private endpoint connection request
+
+1. Browse to the overview page for the environment named *my-environment* you created previously.
+
+1. Expand **Settings** > **Networking**.
+
+1. You see a link for the private endpoint connection requests. For example, `1 private endpoint`. Select this link.
+
+1. In the *Private endpoint connections* page, approve each private endpoint connection request with the description `AFD Private Link Request`.
+
+    > [!NOTE]
+    > Azure Front Door has a known issue where it might create multiple private endpoint connection requests.
+
+## Access your container app from Azure Front Door
+
+Browse to the Azure Front Door endpoint hostname you recorded previously. You see the output for the quickstart container app image. Global deployment could take a few minutes to deploy, so if you don't see the expected output, wait a few minutes and then refresh.
+
+## Clean up resources
+
+If you're not going to continue to use this application, you can delete the container app and all the associated services by removing the resource group.
+
+1. Select the **my-container-apps** resource group from the *Overview* section.
+1. Select the **Delete resource group** button at the top of the resource group *Overview*.
+1. Enter the resource group name **my-container-apps** in the *Are you sure you want to delete "my-container-apps"* confirmation dialog.
+1. Select **Delete**.
+
+    The process to delete the resource group could take a few minutes to complete.
+
+::: zone-end
+
+::: zone pivot="azure-cli"
+
 ## Prerequisites
 
 - Azure account with an active subscription.
   - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/).
 
-- This feature is only available with the [Azure CLI](/cli/azure/install-azure-cli). To ensure you're running the latest version of the Azure CLI, run the following command.
+- To ensure you're running the latest version of the [Azure CLI](/cli/azure/install-azure-cli), run the following command.
 
     ```azurecli
     az upgrade
@@ -77,7 +211,7 @@ az group create \
         --location $LOCATION
     ```
 
-1. Retrieve the environment ID. You use this to configure the environment.
+1. Retrieve the environment ID. You use this ID to configure the environment.
 
     ```azurecli
     ENVIRONMENT_ID=$(az containerapp env show \
@@ -121,11 +255,17 @@ az group create \
         --output tsv)
     ```
 
-    If you browse to the container app endpoint, you receive `ERR_CONNECTION_CLOSED` because the container app environment has public access disabled. Instead, you use an AFD endpoint to access your container app.
+1. When you browse to the container app endpoint, you receive `ERR_CONNECTION_CLOSED` because the container app environment has public access disabled. Instead, you use an AFD endpoint to access your container app.
 
 ## Create an Azure Front Door profile
 
-Create an AFD profile. Private link is not supported for origins in an AFD profile with SKU `Standard_AzureFrontDoor`.
+1. Make sure the `Microsoft.Cdn` resource provider is registered for your subscription.
+
+    ```azurecli
+    az provider register --namespace Microsoft.Cdn
+    ```
+
+1. Create an AFD profile. Private link isn't supported for origins in an AFD profile with SKU `Standard_AzureFrontDoor`.
 
 ```azurecli
 az afd profile create \
@@ -202,23 +342,23 @@ az afd origin create \
     /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.App/managedEnvironments/my-environment/privateEndpointConnections/<PRIVATE_ENDPOINT_CONNECTION_ID>
     ```
 
-    Don't confuse this with the private endpoint ID, which looks like the following.
+    Don't confuse this ID with the private endpoint ID, which looks like the following.
 
     ```
     /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/eafd-Prod-centralus/providers/Microsoft.Network/privateEndpoints/<PRIVATE_ENDPOINT_ID>
     ```
 
 ## Approve the private endpoint connection
 
-Run the following command to approve the connection. Replace the \<PLACEHOLDER\> with the private endpoint connection resource ID you recorded in the previous section.
+To approve the connection, run the following command. Replace the \<PLACEHOLDER\> with the private endpoint connection resource ID you recorded in the previous section.
 
 ```azurecli
 az network private-endpoint-connection approve --id <PRIVATE_ENDPOINT_CONNECTION_RESOURCE_ID>
 ```
 
 ## Add a route
 
-Run the following command to map the endpoint you created earlier to the origin group. Private endpoints on Azure Container Apps only support inbound HTTP traffic. TCP traffic is not supported.
+Run the following command to map the endpoint you created earlier to the origin group. Private endpoints on Azure Container Apps only support inbound HTTP traffic. TCP traffic isn't supported.
 
 ```azurecli
 az afd route create \
@@ -254,19 +394,24 @@ az afd route create \
 
 1. Browse to the hostname. You see the output for the quickstart container app image.
 
-    It takes a few minutes for your AFD profile to be deployed globally, so if you do not see the expected output at first, wait a few minutes and then refresh.
+    If you don't see the expected output at first, wait a few minutes and then refresh.
 
 ## Clean up resources
 
-If you're not going to continue to use this application, you can remove the **my-container-apps** resource group. This deletes the Azure Container Apps instance and all associated services. It also deletes the resource group that the Container Apps service automatically created and which contains the custom network components.
+If you're not going to continue to use this application, you can remove the **my-container-apps** resource group. This action deletes the Azure Container Apps instance and all associated services. It also deletes the resource group that the Container Apps service automatically created and which contains the custom network components.
 
 > [!CAUTION]
-> The following command deletes the specified resource group and all resources contained within it. If resources outside the scope of this guide exist in the specified resource group, they will also be deleted.
+> The following command deletes the specified resource group and all resources contained within it. If resources outside the scope of this guide exist in the specified resource group, they'll also be deleted.
 
 ```azurecli
 az group delete --name $RESOURCE_GROUP
 ```
 
+::: zone-end
+
+> [!TIP]
+> Having issues? Let us know on GitHub by opening an issue in the [Azure Container Apps repo](https://github.com/microsoft/azure-container-apps).
+
 ## Related content
 
 - [Azure Private Link](/azure/private-link/private-link-overview)