Share via

Unable to establish private link between Azure Front Door and Container Apps Environment (CAE)

Anonymous
2025-09-29T12:14:50.66+00:00

Body: I am trying to enable a private link between my Azure Front Door and my Container Apps Environment (CAE), but I haven’t been successful.

Here’s what I’ve done so far:

During the Front Door creation, I enabled the Private Link feature and selected the target resource (my container app).

This automatically created a private endpoint, for which I provided a name/reason.

I then approved the connection request from the CAE side.

Issue: The approval process takes a very long time and never seems to complete. It just keeps running indefinitely. Once I refresh the page, the status blade disappears, and the private endpoint shows as Approved — even though the approval process never actually completed.

However, when I attempt to access the container app through Front Door, I get a 404 Error response.

Attached is a screenshot showing the approval process hanging.

Has anyone experienced this issue or know what might be causing this behavior? image.png

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 18,570 Reputation points Volunteer Moderator
    2025-09-29T14:00:55.5966667+00:00

    hi,

    the fact that the status shows 'approved' after a refresh is a classic symptom of a backend timing issue. the approval might have gone through, but the connection is not fully active. the 404 error from front door confirms the link is not working.

    first, let's verify the private endpoint connection from the container apps environment side. do not just look at the front door side. go to your container apps environment in the azure portal. in the left menu, look for 'networking' or 'private endpoints'. find the pending private endpoint connection that front door created. even if it looks approved, try to approve it again manually from this side. sometimes this double approval kicks the system into action.

    next, check the dns configuration. this is the most common culprit for a 404 after a private link is established. private link requires a specific private dns zone to resolve your container app's name to its private ip address. make sure a private dns zone exists for 'privatelink.azurecontainerapps.io' and that it is linked to your virtual network. it should have an a record that points your container app's hostname to the private ip address assigned by the private endpoint. you can test this by doing an nslookup from a virtual machine inside the same virtual network.

    also, look at the container app itself. make sure it is actually running and healthy. if the container app is scaled down to zero or has a failed revision, front door will get a 404 because there is no backend to respond. check the revisions and logs in your container app to confirm it is ready to receive traffic.

    this kind of private endpoint delay can happen with any azure service, not just front door and container apps. the approval process can be slow, and the dns propagation is critical. it is always worth checking the dns first.

    if you are still stuck, you might need to delete the private endpoint and recreate it. sometimes a fresh start is the fastest solution.

    approve the private endpoint from the container apps side, then double and triple check your private dns zone configuration. that is most likely where the problem is hiding.

    good luck, my friend. i hope your private link starts behaving after the dns check.

    rgds,

    Alex

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.