Azure Front Door - Networking Documentation

Azure Front Door Networking

Azure Front Door is a modern cloud Content Delivery Network (CDN) service that provides fast, secure, and scalable web application scalability. It offers global load balancing and traffic management capabilities by leveraging Microsoft's vast global network.

Key Networking Concepts

Global Load Balancing: Front Door routes client traffic to the closest and most available backend pool. This improves application performance and availability.
Anycast Protocol: Front Door utilizes anycast routing to direct end-users to the nearest available Front Door Point of Presence (POP) server.
Health Probes: Front Door continuously probes the health of your backend endpoints. If an endpoint becomes unhealthy, traffic is automatically rerouted to healthy endpoints.
SSL/TLS Termination: Front Door can terminate SSL/TLS connections at the edge, reducing the load on your backend servers and simplifying certificate management.
Web Application Firewall (WAF): Integrated WAF provides protection against common web exploits and vulnerabilities.
Session Affinity: Front Door can maintain session affinity (sticky sessions) to ensure that requests from a particular client are always sent to the same backend server, which is crucial for stateful applications.

How it Works

When a client requests your application:

The DNS resolves the request to a Front Door anycast IP address.
The closest Front Door POP receives the request.
Front Door uses its configured routing rules to determine the appropriate backend pool.
It performs a health check on the backend endpoints within that pool.
The request is forwarded to a healthy backend endpoint.
The response travels back through Front Door to the client.

Backend Configurations

You can configure various types of backends for Azure Front Door, including:

Azure App Service
Azure VM Scale Sets
Azure Storage
Azure Kubernetes Service (AKS)
Any public IP address or hostname that is accessible from the internet.

Note: For improved security and performance, it is recommended to use Private Link to connect your backend services to Front Door, rather than exposing them directly to the internet.

Example Routing Rule

A typical routing rule might define:

Frontend Host: The public URL (e.g., www.your-app.com).
Patterns to Match: Specific URL paths (e.g., /* for all paths, or /api/* for API requests).
Accepted Protocols: HTTP, HTTPS, or both.
Forwarding Protocol: How Front Door forwards the request to the backend (e.g., HTTP or HTTPS).
Backend Pool: The collection of backend servers to send traffic to.
Health Probe Settings: Configuration for how health probes are performed.

Using Private Endpoints with Front Door

To secure your backend services, you can use Azure Private Link to establish a private endpoint connection from Front Door to your backend. This ensures that traffic between Front Door and your backend does not traverse the public internet.


# Conceptual example of configuring a private endpoint connection
# This is illustrative and actual implementation involves Azure CLI/Portal/ARM
az network front-door private-link-resource add \
    --front-door-name myFrontDoor \
    --resource-group myResourceGroup \
    --backend-pool-name myBackendPool \
    --private-link-resource-id /subscriptions/subid/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myAppService \
    --private-link-resource-type Microsoft.Web/sites

Tip: Regularly review your Front Door logs and metrics in Azure Monitor to understand traffic patterns and identify potential issues.