We have a Premium Azure Front Door (AFD) instance and a private Windows VM deployed in its own VNET, acting as a web server. Due to company policies, we cannot assign a public IP to the VM.

Currently, the VM is behind an Application Gateway + WAF, which we plan to retire for a full transition to AFD. However, I’m stuck at the origin group stage because:

There's no built-in origin type for VMs in AFD. A custom origin requires a public IP, which we cannot provide. Is there a way to configure AFD to route traffic to this private VM without deploying a Load Balancer/App Gateway into the vnet? Any workarounds or best practices would be greatly appreciated.

MS documentation was of no help