Merge pull request #303899 from jainsabal/local-branch-sabal

v-ccolin · web-flow · commit ef5cee645367 · 2025-08-07T08:54:45.000+01:00
AFD/CDN MIgration FAQ added
diff --git a/articles/frontdoor/TOC.yml b/articles/frontdoor/TOC.yml
@@ -177,6 +177,10 @@
         href: ../cdn/cdn-change-provider.md?toc=/azure/frontdoor/toc.json
       - name: Custom domain
         href: migrate-cdn-to-front-door.md
+    - name: AFD/CDN Classic migration FAQ
+      href: migration-faq.md
+    - name: Post migration Dev-Ops experience
+      href: post-migration-dev-ops-experience.md
   - name: Upgrades
     items:
     - name: Upgrade from Standard to Premium tier - Portal
diff --git a/articles/frontdoor/migration-faq.md b/articles/frontdoor/migration-faq.md
@@ -0,0 +1,60 @@
+---
+title: AFD/CDN Classic Migration FAQ
+description: Frequently asked questions about migrating from AFD/CDN Classic to AFD Standard or Premium.
+author: jainsabal
+ms.author: jainsabal
+ms.service: azure-frontdoor
+ms.topic: overview
+ms.date: 08/06/2025
+
+#CustomerIntent: As a <type of user>, I want <what?> so that <why?>.
+---
+
+# AFD and CDN Classic Migration FAQ
+
+This document provides answers to frequently asked questions regarding the migration from Azure Front Door (AFD) Classic and CDN Classic to AFD Standard/Premium.
+
+### Will there be downtime during migration?
+
+No, there is no downtime during the migration. This is a control plane-only migration, meaning traffic delivery is unaffected.
+
+During migration, the classic Azure Front Door (AFD) endpoint mydomain.azurefd.net is created as a dummy custom domain on AFD standard/premium that is CNAMEd to AFD standard/premium endpoint mydomain.randomstring.z01.azurefd.net. It continues to receive traffic until you update the DNS record of AFD custom domain (www.mydomain.com) to mydomain.randomstring.z01.azurefd.net directly. It is highly recommended to change the CNAME from classic endpoint to AFD standard/premium endpoint after verification.
+
+Even in rare cases where the migration fails, traffic delivery continues to work as expected.
+
+There is no rollback support, please reach out to the support team for help if migration fails.
+
+
+
+### What should I do after migration?
+
+After migration:
+
+- Verify traffic delivery continues to work.
+
+- Update the DNS CNAME record for your custom domain to point to the AFD Standard/Premium endpoint (exampledomain-hash.z01.azurefd.net) instead of the classic endpoint (exampledomain.azurefd.net for classic AFD or exampledomain.azureedge.net). Wait for the DNS update propagation until DNS TTL expires, depending on how long TTL is configured on DNS provider.
+
+- Verify again that traffic works in the custom domain.
+
+- Once confirmed, delete the pseudo custom domain (i.e., the classic endpoint that was pointing to the AFD Standard/Premium endpoint) from the AFD Standard/Premium profile.
+
+### When I change my DNS CNAME from classic AFD endpoint to AFD standard/premium endpoint, does DNS propagation cause downtime?
+
+No, both classic endpoint and Std/premium endpoints point to the same IP, so the final resolution remains the same before and after DNS propagation.
+
+### When should I delete the classic SKU?
+
+For AFD Classic: After verifying that traffic works and the DNS record has been updated to point to the AFD Standard/Premium endpoint, you can safely delete the classic resource.
+
+For CDN Classic: You do not need to delete the classic resource. Migration is treated as a SKU upgrade, and the classic resource can remain.
+
+### Do I need to update my DevOps pipeline?
+
+Yes. After migration, make sure to update your DevOps pipeline to reflect the new AFD Standard/Premium configuration and endpoints.
+
+## Next step
+
+* Understand the [settings mapping between Azure Front Door tiers](tier-mapping.md).
+* Learn how to [migrate from Azure Front Door (classic) to Standard or Premium tier](migrate-tier.md) using the Azure portal.
+* Learn how to [migrate from Azure Front Door (classic) to Standard or Premium tier](migrate-tier-powershell.md) using Azure PowerShell.
+* Learn how to [migrate from Azure CDN from Microsoft (classic)](migrate-tier.md) to Azure Front Door using the Azure portal.
diff --git a/articles/frontdoor/post-migration-dev-ops-experience.md b/articles/frontdoor/post-migration-dev-ops-experience.md
@@ -0,0 +1,94 @@
+---
+title: Post Migration Dev-Ops Experience
+description: Guidance to update Terraform, ARM templates, Bicep, PowerShell, and Azure CLI pipelines after migrating from Azure Front Door (Classic) or CDN Classic to Azure Front Door Standard/Premium.
+author: jainsabal
+ms.author: jainsabal
+ms.service: azure-frontdoor
+ms.topic: overview
+ms.date: 08/06/2025
+---
+# Post Migration Dev-Ops Experience
+
+After migrating from Azure Front Door (Classic) or CDN Classic to Azure Front Door Standard/Premium, update your DevOps pipeline scripts to deploy and manage the new Front Door Standard/Premium resources. Use the guidance below for various tools and pipeline types.
+
+## Terraform
+
+### Prerequisites
+
+- Ensure the Terraform CLI is installed. See [Install Terraform](https://developer.hashicorp.com/terraform/tutorials/azure-get-started/install-cli).
+- Install the Azure Resource Manager Export extension for Terraform to export existing Azure resources to Terraform templates. See [Overview of Azure Export for Terraform](https://learn.microsoft.com/azure/developer/terraform/azure-export-for-terraform/export-terraform-overview).
+
+### Steps
+
+After migration, all classic AFD resources are migrated to AFD Standard and Premium. Then:
+
+- **Export the new AFD Standard/Premium configuration**: Use Azure’s export tool to generate Terraform configurations for your new Front Door Standard/Premium resources. Follow [Quickstart: Export your first resources using Azure Export for Terraform](https://learn.microsoft.com/azure/developer/terraform/azure-export-for-terraform/export-first-resources?tabs=azure-cli) to export the Front Door Standard/Premium resources into Terraform files.
+- **Update Terraform templates in your pipeline**: Replace references to Front Door Classic resources with the exported Standard/Premium configuration.
+  - For AFD Classic, the Terraform resource is [`azurerm_frontdoor`](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor).
+  - For CDN Classic, use the [`azurerm_cdn_*`](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) resources.
+  - For AFD Standard/Premium (AFDx), use the [`azurerm_cdn_frontdoor_*`](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile) resources.
+- Check in the updated Terraform code to your pipeline and run plan/apply to start managing the new Front Door via Terraform.
+
+## ARM template
+
+### Steps
+
+After migration, all classic AFD resources are migrated to AFD Standard and Premium.
+
+- **Export ARM templates for Front Door Standard/Premium** using any of the following:
+  - **Azure portal**: [Export template in Azure portal](../azure-resource-manager/templates/export-template-portal.md).
+  - **Azure CLI**: [Export template in Azure CLI](../azure-resource-manager/templates/export-template-cli.md).
+  - **Azure PowerShell**: [Export template in Azure PowerShell](../azure-resource-manager/templates/export-template-powershell.md).
+- **Update ARM templates in your pipeline** to use the new Front Door Standard/Premium template instead of the Front Door (Classic) template. In Azure DevOps or GitHub Actions, update the template path and parameters in your deployment step, then deploy the new template.
+- **Validate**: Remove or archive references to the classic Front Door template to avoid confusion.
+
+## Bicep
+
+### Prerequisites
+
+- Install the Bicep CLI and tools. See [Set up Bicep development and deployment environments](../azure-resource-manager/bicep/install.md).
+
+### Steps
+
+After migration, all classic AFD resources are migrated to AFD Standard and Premium.
+
+- **Generate a Bicep template for Front Door Standard/Premium** by decompiling an exported ARM template. See [Decompile ARM template JSON to Bicep](../azure-resource-manager/bicep/decompile.md?tabs=azure-cli).
+- **Update Bicep files in your pipeline**: Replace Front Door Classic definitions with Standard/Premium. This may include updating resource types such as [`Microsoft.Cdn/profiles`](https://learn.microsoft.com/azure/templates/microsoft.cdn/profiles?pivots=deployment-language-bicep) and child resources (endpoints, routes, etc.).
+- **Test** a deployment (for example, `az deployment group create`) to verify provisioning of AFD Standard/Premium.
+
+## PowerShell
+
+### Prerequisites
+
+Make sure you have the latest Azure PowerShell Az modules installed (Az.Cdn module version that supports AFD Standard/Premium). See [Install Azure PowerShell](https://learn.microsoft.com/powershell/azure/install-azps-windows).
+
+### Steps
+
+- **Update PowerShell deployment scripts**: Replace any Front Door (Classic) cmdlets with AFD Standard/Premium cmdlets. For examples, see the [Azure Front Door PowerShell quickstart](create-front-door-powershell.md).
+- **Incorporate new configuration and remove old references**: Ensure scripts configure required components (origins, origin groups, routes, rules, etc.). Remove or comment commands that manage Classic Front Door.
+- Command group mapping:
+  - AzFrontDoorCdn commands under the [Az.Cdn module](https://learn.microsoft.com/powershell/module/az.cdn/) are for AFD Standard/Premium.
+  - AzCdn commands under the [Az.Cdn module](https://learn.microsoft.com/powershell/module/az.cdn/) are for CDN Classic.
+  - The [Az.FrontDoor module](https://learn.microsoft.com/powershell/module/az.frontdoor/) is for AFD Classic.
+- **Test** your script (locally or in a test pipeline) to verify creation or updates to AFD Standard/Premium, then commit changes to your pipeline.
+
+## CLI
+
+### Prerequisites
+
+- Ensure Azure CLI is installed and updated to a version that supports the `afd` command group (for example, 2.63.0 or later). See [Install Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli).
+- Log in (`az login`) and set the correct subscription context.
+
+### Steps
+
+- **Update CLI commands in scripts**: Use the Azure Front Door Standard/Premium command group: [`az afd`](https://learn.microsoft.com/cli/azure/afd).
+- **Replace or remove Front Door Classic CLI usage**:
+  - CDN Classic commands: [`az cdn`](https://learn.microsoft.com/cli/azure/cdn)
+  - AFD Classic commands: [`az network front-door`](https://learn.microsoft.com/cli/azure/network/front-door)
+- **Validate** the updated CLI script manually or in a staging pipeline to ensure successful configuration of Front Door Standard/Premium.
+
+## Next step
+
+* For more questions, refer to the [AFD/CDN Classic Migration FAQ](migration-faq.md).
+* Understand the [settings mapping between Azure Front Door tiers](tier-mapping.md).
+
diff --git a/articles/frontdoor/standard-premium/how-to-enable-private-link-web-app-powershell.md b/articles/frontdoor/standard-premium/how-to-enable-private-link-web-app-powershell.md
@@ -0,0 +1,89 @@
+---
+title: 'Connect Azure Front Door Premium to an App Service Origin with Private Link Using Azure PowerShell'
+titleSuffix: Azure Private Link
+description: Learn how to connect your Azure Front Door Premium to a WebApp privately using Azure PowerShell.
+services: frontdoor
+author: jainsabal
+ms.service: azure-frontdoor
+ms.topic: how-to
+ms.date: 11/15/2024
+ms.author: jainsabal
+---
+
+# Connect Azure Front Door Premium to an App Service (Web App) Origin with Private Link Using Azure PowerShell
+
+This article guides you through how to configure Azure Front Door Premium tier to connect to your App Service (Web App) privately using the Azure Private Link service with Azure PowerShell.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- Azure PowerShell installed locally or Azure Cloud Shell
+- Azure FrontDoor Premium profile, endpoint, and origin group. For more information on how to create an Azure Front Door profile, see [Create a Front Door - PowerShell](../create-front-door-powershell.md).
+- Azure App Service (WebApp) instance. For more information on how to create an Azure App Service, see [Create an App Service - PowerShell](../../app-service/quickstart-dotnetcore.md?tabs=net80&pivots=development-environment-ps).
+
+> [!NOTE]
+> Private endpoints requires your App Service plan to meet some requirements. For more information, see [Using Private Endpoints for Azure Web App](../../app-service/networking/private-endpoint.md).
+> This feature is not supported with App Service Slots
+
+## Enable Private Link to an App Service in Azure Front Door Premium
+
+1. Run [Get-AzResource](/powershell/module/az.resources/get-azresource) to get the resource ID of the App Service to be used as the origin for Azure Front Door
+
+    ```azurepowershell-interactive
+    get-AzResource -Name testWebAppAFD 
+                   -ResourceGroupName testRG
+    
+    ```
+
+2. Run [New-AzFrontDoorCdnOrigin](/powershell/module/az.cdn/new-azfrontdoorcdnorigin) to add your App Service origin to your origin group.
+
+    ```azurepowershell-interactive
+    # Add App Service origin to the Azure Front Door profile with Private Link
+    $origin1 = New-AzFrontDoorCdnOrigin `
+        -OriginGroupName default-origin-group `
+        -OriginName test-origin `
+        -ProfileName testAFD `
+        -ResourceGroupName testRG `
+        -HostName testwebapp.canadacentral-01.azurewebsites.net `
+        -OriginHostHeader testwebapp.canadacentral-01.azurewebsites.net `
+        -HttpPort 80 `
+        -HttpsPort 443 `
+        -Priority 1 `
+        -Weight 1000 `
+        -PrivateLinkId /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Web/sites/testWebAppAFD `
+        -SharedPrivateLinkResourceGroupId sites `
+        -SharedPrivateLinkResourcePrivateLinkLocation "Central US" `
+        -SharedPrivateLinkResourceRequestMessage "testWebAppAFDPL Private Link request" `
+    
+    ```
+
+## Approve Azure Front Door Premium private endpoint connection from App Service
+
+1. Run [Get-AzPrivateEndpointConnection](/powershell/module/az.network/get-azprivateendpointconnection) to list the private endpoint connections for your App Service. Note down the 'Name' of the private endpoint connection available in your App Service, in the first line of your output.
+
+    ```azurepowershell-interactive
+    
+    #PrivateLinkResourceId is the resource ID of the WebApp
+    Get-AzPrivateEndpointConnection -PrivateLinkResourceId '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Web/sites/testWebAppAFD'
+    
+    ```
+
+2. Run [Approve-AzPrivateEndpointConnection](/powershell/module/az.network/approve-azprivateendpointconnection) to approve the private endpoint connection.
+
+    ```azurepowershell-interactive
+    
+    Approve-AzPrivateEndpointConnection -Name 00000000-0000-0000-0000-000000000000-00000000-0000-0000-0000-000000000000 -ResourceGroupName testRG -ServiceName testWebAppAFD -PrivateLinkResourceType Microsoft.Web/sites
+        
+    ```
+
+3. Once approved, it takes a few minutes for the connection to fully establish. You can now access your App Service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled. Run [Get-AzPrivateEndpointConnection](/powershell/module/az.network/get-azprivateendpointconnection) to verify the status of the private endpoint connection.
+
+    ```azurepowershell-interactive
+    
+    Get-AzPrivateEndpointConnection -PrivateLinkResourceId '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Web/sites/testWebAppAFD'
+    
+    ```
+
+## Next steps
+
+Learn about [Private Link service with App service](../../app-service/networking/private-endpoint.md).
