Configuring Azure Front Door Service

Configuring Azure Front Door Service

Complete Enterprise Guide

1. Introduction to Azure Front Door

Azure Front Door is Microsoft’s Global, Scalable, and Secure entry Point for Web Applications. It Operates at Layer 7 (HTTP/HTTPS) and Provides:

ü  Global Load Balancing

ü  Intelligent Traffic Routing

ü  SSL Offloading

ü  Web Application Firewall (WAF)

ü  DDoS Protection Integration

ü  CDN Acceleration

ü  URL-Based Routing

ü  Session affinity

ü  Health probes and failover

It uses Microsoft’s Global Edge Network to Route Users to the closest and Healthiest Backend.

2. Azure Front Door Architecture Components

2.1 Core Components

  1. Frontend Hosts

ü  Public Endpoint (e.g., contoso.azurefd.net)

ü  Custom Domains Supported

ü  HTTPS and TLS configuration

  1. Backend Pools (Origins)

ü  Azure App Service

ü  Azure VM

ü  Azure Load Balancer

ü  Azure Application Gateway

ü  Public IP Resources

  1. Routing Rules

ü  URL Path-Based Routing

ü  HTTP to HTTPS Redirection

ü  Forwarding Behavior

  1. Health Probes

ü  HTTP/HTTPS Probe Path

ü  Probe Interval and Sensitivity

  1. WAF Policy

ü  OWASP Rule Sets

ü  Custom Rules

ü  Rate limiting

3. Front Door SKU Options

  1. Front Door Standard

ü  CDN Integration

ü  Global Load Balancing

ü  Private Link support

  1. Front Door Premium

ü  Advanced WAF

ü  Private Link to Internal Origins

ü  Advanced Rule Engine

4. Prerequisites

Before deployment:

  1. Azure Subscription
  2. At least one Backend (App Service, VM, etc.)
  3. Public DNS Domain (optional but recommended)
  4. SSL Certificate (if using Custom Domain)

5. Step-by-Step Configuration via Azure Portal

Step 1: Create Azure Front Door

  1. Sign in to Azure Portal
  2. Search for Front Door and CDN Profiles
  3. Click Create
  4. Select:

ü  SKU: Standard or Premium

ü  Resource Group

ü  Profile name

ü  Region (metadata location only)

Click Review + Create

Step 2: Create Endpoint

  1. Navigate to the Front Door profile
  2. Click Endpoints
  3. Click Add Endpoint
  4. Define:

ü  Endpoint Name

ü  Enabled State

Azure generates a default domain:

yourapp.azurefd.net

Step 3: Configure Origin Group

  1. Go to Origin Groups
  2. Click Add
  3. Configure:

ü  Name

ü  Health Probe Protocol

ü  Probe path (e.g., /Health)

ü  Interval

ü  Sample Size

Step 4: Add Origins

  1. Inside Origin Group Add Origin
  2. Select:

ü  Origin type (App Service, VM, Custom Host)

ü  Hostname

ü  HTTP/HTTPS Port

ü  Priority

ü  Weight

Example configuration:

  • Origin host: myapp.azurewebsites.net
  • HTTP port: 80
  • HTTPS port: 443
  • Priority: 1
  • Weight: 100

Step 5: Configure Routing Rule

  1. Go to Routes
  2. Click Add Route
  3. Configure:

ü  Domain

ü  Path pattern: /*

ü  Accepted Protocols: HTTP + HTTPS

ü  Forwarding Protocol: HTTPS only

ü  Origin Group

This connects frontend to backend.

Step 6: Enable HTTPS with Managed Certificate

  1. Go to Custom Domains
  2. Add Custom Domain (e.g., www.contoso.com)
  3. Validate DNS (CNAME to Azurefd.Net)
  4. Enable HTTPS
  5. Choose:

ü  Azure-Managed Certificate

ü  Custom Certificate

6. Configuration via PowerShell

Install required modules:

Install-Module Az.Cdn

Login:

Connect-AzAccount

Create Front Door Profile:

New-AzFrontDoorCdnProfile `
 -ResourceGroupName RG-FD `
 -Name FD-Profile `
 -SkuName Standard_AzureFrontDoor

Create Endpoint:

New-AzFrontDoorCdnEndpoint `
 -ResourceGroupName RG-FD `
 -ProfileName FD-Profile `
 -Name fd-endpoint `
 -Location Global

Create Origin Group:

New-AzFrontDoorCdnOriginGroup `
 -ResourceGroupName RG-FD `
 -ProfileName FD-Profile `
 -EndpointName fd-endpoint `
 -Name origin-group `
 -ProbePath "/health" `
 -ProbeProtocol Https

Add Origin:

New-AzFrontDoorCdnOrigin `
 -ResourceGroupName RG-FD `
 -ProfileName FD-Profile `
 -EndpointName fd-endpoint `
 -OriginGroupName origin-group `
 -Name app-origin `
 -HostName myapp.azurewebsites.net `
 -HttpPort 80 `
 -HttpsPort 443

Create Route:

New-AzFrontDoorCdnRoute `
 -ResourceGroupName RG-FD `
 -ProfileName FD-Profile `
 -EndpointName fd-endpoint `
 -Name default-route `
 -OriginGroupName origin-group `
 -SupportedProtocol Http,Https `
 -ForwardingProtocol HttpsOnly `
 -PatternsToMatch "/*"

7. Web Application Firewall Configuration

Create WAF Policy

  1. Go to WAF Policies
  2. Select Front Door
  3. Choose OWASP Rule Set Version
  4. Configure:

ü  Prevention Mode

ü  Custom rules

ü  IP Filtering

Associate WAF to Endpoint:

  1. Go to Security
  2. Link WAF Policy
  3. Apply

8. Health Probes and Failover

Azure Front Door continuously checks:

  • Backend Availability
  • HTTP Status Codes
  • Response Time

If backend fails:

  • Traffic Reroutes to Healthy Origin
  • Automatic Failover Occurs

Best practice:

  • Create dedicated /Health Endpoint
  • Avoid Heavy Probe Responses
  • Keep Response Lightweight

9. Advanced Features

  1. URL Rewrite Rules
  2. Geo-Filtering
  3. Rate Limiting
  4. Bot Protection
  5. Private Link Origins
  6. Caching Policies

10. Security Best Practices

  1. Always enable HTTPS Only
  2. Enable WAF in Prevention Mode
  3. Use Azure-Managed Certificates
  4. Restrict Backend Access to Front Door Only
  5. Enable Logging to Log Analytics
  6. Monitor with Azure Monitor

11. Monitoring and Diagnostics

Enable:

  1. Diagnostic Settings
  2. Send Logs to:

ü  Log Analytics

ü  Storage Account

ü  Event Hub

Key logs:

  • Access Logs
  • WAF Logs
  • Health Probe Logs

Example KQL Query:

AzureDiagnostics
| where ResourceType == "FRONTDOORS"
| summarize count() by clientIP_s

12. Common Use Cases

  1. Multi-region web apps
  2. Disaster recovery
  3. E-Commerce Global Platforms
  4. API Acceleration
  5. Secure SaaS Exposure

13. Do’s and Don’ts

Do

  • Use separate origin groups for DR
  • Use WAF with custom rules
  • Enable logging from day one
  • Use HTTPS-only backend

Don’t

  • Expose backend publicly without restrictions
  • Skip health probes
  • Use default routing without testing
  • Ignore latency-based routing

14. Comparison with Application Gateway

Feature

Front Door

Application Gateway

Scope

Global

Regional

Layer

7

7

WAF

Yes

Yes

Load Balancing

Global

Regional

CDN

Integrated

No

15. Final Architecture Recommendation

For enterprise deployment:

  1. Deploy App in Multiple Regions
  2. Protect Backend with NSG Rules
  3. Use Private Link for Premium
  4. Enable WAF in Prevention
  5. Enable Azure DDoS Protection
  6. Monitor Continuously

 

If you would like to explore this topic in greater depth, see my book Azure Front Door Design Security Performance and Global Application Delivery, where the subject is covered in much greater detail. The guide expands on the concepts discussed in this article with deeper architectural explanations, service capabilities, and step-by-step implementation using Azure Portal, Azure CLI, Terraform, and Bicep. It also includes real-world deployment, configuration, and troubleshooting scenarios designed for IT professionals, administrators, and cloud architects. All of my books include detailed architectural diagrams and practical deployment examples using PowerShell, Azure CLI, Terraform, and Bicep.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.