Is it possible to put Azure App Configuration behind Azure Front Door?

Question

Update: more detail can be found in the GitHub issue that i opened here:

https://github.com/Azure/AppConfiguration/issues/567#issuecomment-953365024

---

Original question:

I have set up three resource groups, each with their own instance of App Configuration. All keys/values are synchronized between the configuration stores. I have also created an Azure Front Door instance and associated frontend, backendpool, and route linking the frontend and backendpool via forwarding. Everything is wired up successfully. However, when I attempt to call into the front door config endpoint, I get an authentication failure in my app config client.

Azure.Identity.AuthenticationFailedException
DefaultAzureCredential authentication failed.
...
Azure.Identity.AuthenticationFailedException
ClientSecretCredential authentication failed.
...
Azure.RequestFailedException
Service request failed.
Status: 400 (Bad Request)

Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://config.[redacted].com was not found in the tenant named [redacted]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant."}

Calling the uri of any/all of the individual config services (backends) works fine.

Answer 1

Not out of the box, this is an issue with the token handling, but I think a more important question is why you want this? redundancy with App Configuration is normally build in the code/function itself very easily, and even when apps/functions are distributed the config call to the store does not introduce much latency to even be notable