This chapter covers Azure Front Door and Azure CDN profiles, two critical services for global traffic management and content delivery on Azure. For the AZ-104 exam, understanding the differences between these services, their routing methods, caching behaviors, and security features is essential. Approximately 10-15% of networking questions touch on Front Door or CDN, often in scenarios comparing them to Traffic Manager or Application Gateway. You will learn how to configure profiles, endpoints, rules, and caching, and how to troubleshoot common misconfigurations.
Jump to a section
Azure Front Door is like a high-tech express lane at a massive distribution center. Imagine you have multiple warehouses (origin servers) across the globe, each holding the same products (your application content). When a customer places an order (HTTP request), they first hit the express lane—Front Door. Front Door checks its route board (routing rules) to decide which warehouse is closest and least busy, then sends the order there. But it also remembers the customer's address (session affinity) and can inspect the package for hazardous materials (WAF). Meanwhile, Azure CDN is like a network of local pickup lockers (edge caches) placed in neighborhoods. When a customer orders a popular item, the lockers already have it stocked from a recent bulk delivery, so the customer grabs it instantly without waiting for a warehouse shipment. The lockers only hold items that are in high demand (cacheable content). If an item isn't in the locker, it fetches it from the nearest warehouse (origin) and keeps a copy for the next customer. Front Door and CDN work together: Front Door handles the dynamic routing and security at the global entry point, while CDN accelerates static content delivery by caching at the edge. They can be used separately or combined, but each has distinct capabilities: Front Door is layer 7 load balancing with global traffic routing, SSL offload, and path-based routing; CDN is primarily for static content caching with compression and geo-filtering.
What is Azure Front Door?
Azure Front Door is a global, scalable entry point that uses HTTP/S and layer 7 routing to direct traffic to your application backends. It operates at the edge of Microsoft's global network, providing capabilities like SSL termination, path-based routing, URL rewrite, session affinity, and Web Application Firewall (WAF) policies. Front Door is not a load balancer in the traditional sense; it is an application delivery controller (ADC) that routes traffic based on the request URL, headers, and cookies, not just source IP. It supports multi-region deployment and can failover automatically if a backend becomes unhealthy.
How Front Door Routes Traffic
Front Door uses a routing engine that evaluates each incoming request against a set of routing rules. Each rule has a frontend host (e.g., myapp.azurefd.net), a path pattern (e.g., /api/*), and a backend pool. The routing process: 1. Request arrives at the nearest edge location (POP) based on Anycast DNS. 2. Front Door inspects the Host header and path. 3. It matches against the first rule with a matching frontend host and path pattern. 4. It selects a backend from the pool using the configured routing method (latency, priority, or weighted). 5. It forwards the request, optionally rewriting the URL or adding headers.
Key Components of Front Door
Frontend Host: The public endpoint (e.g., myapp.azurefd.net). You can also bring custom domains.
Backend Pool: A group of backends (App Services, VMs, Storage, etc.) with health probe settings.
Routing Rule: Maps frontend host + path to a backend pool. Rules are evaluated in order (top-down).
Health Probe: Front Door probes backends every 30 seconds by default (configurable). It uses HTTP/HTTPS GET requests. A backend is considered unhealthy after 3 consecutive failures.
Session Affinity: Uses a cookie (ARRAffinity) to stick a client to the same backend for the session duration (default 30 minutes of inactivity).
Caching: Front Door can cache static content at the edge. Default cache duration is 7 days for static files, but you can set Cache-Control headers. Cache size per POP is limited (not configurable).
WAF: Integrated with Azure WAF to block common attacks (SQL injection, XSS) at the edge before reaching your backend.
Configuring Front Door via CLI
# Create a Front Door profile
az network front-door create --name myFrontDoor --resource-group myRG --backend-address 10.0.0.4:80
# Add a frontend endpoint
az network front-door frontend-endpoint create --front-door-name myFrontDoor --resource-group myRG --name myFrontend --host-name myapp.azurefd.net
# Add a backend pool
az network front-door backend-pool create --front-door-name myFrontDoor --resource-group myRG --name myBackendPool --backends '[{"address":"10.0.0.4","httpPort":80,"httpsPort":443}]' --load-balancing-settings '{"sampleSize":4,"successfulSamplesRequired":3}' --health-probe-settings '{"path":"/","protocol":"Http","intervalInSeconds":30}'
# Add a routing rule
az network front-door routing-rule create --front-door-name myFrontDoor --resource-group myRG --name myRule --frontend-endpoints myFrontend --backend-pool myBackendPool --accepted-protocols Http Https --patterns '/*'What is Azure CDN?
Azure Content Delivery Network (CDN) is a distributed network of servers that caches content closer to users. It supports two products: Azure CDN Standard from Microsoft (integrated with Azure) and Azure CDN from Verizon (premium features). CDN is optimized for static content (images, CSS, JS, videos) but can also accelerate dynamic content with dynamic site acceleration (DSA).
How CDN Caches Content
When a user requests content: 1. DNS resolves the CDN endpoint (e.g., mycdn.azureedge.net) to the nearest POP. 2. The POP checks its cache. If the content is cached and not expired, it returns it directly (cache hit). 3. If not cached (cache miss), the POP requests the content from the origin server, caches it according to Cache-Control headers, and serves it to the user. 4. Subsequent requests for the same content are served from cache until it expires.
Key CDN Settings
Caching Rules: You can create rules to override default caching behavior. For example, set cache duration to 1 hour for .jpg files.
Compression: CDN can compress responses (gzip, brotli) to reduce size.
Geo-filtering: Restrict access based on country code.
Purge: Clear cached content manually (e.g., after updating a file). Purging can be done by path or wildcard. There is no cost for purge, but there is a limit of 50 purges per minute per subscription.
Preload: Pre-populate cache for new content (only for Verizon premium).
Configuring CDN via CLI
# Create a CDN profile
az cdn profile create --name myCDN --resource-group myRG --sku Standard_Microsoft
# Create an endpoint
az cdn endpoint create --name myEndpoint --profile-name myCDN --resource-group myRG --origin www.example.com --origin-host-header www.example.com
# Add a custom domain
az cdn custom-domain create --endpoint-name myEndpoint --profile-name myCDN --resource-group myRG --host-name www.mycustomdomain.com
# Purge cache
az cdn endpoint purge --endpoint-name myEndpoint --profile-name myCDN --resource-group myRG --content-paths '/*'Front Door vs CDN: When to Use Which?
Front Door is your choice when you need:
Global HTTP load balancing with instant failover.
Path-based routing to different backends (e.g., /api to one pool, /images to another).
SSL offload and custom domain support.
WAF integration for security.
Session affinity for stateful applications.
CDN is your choice when you need:
High-performance static content delivery with caching.
Dynamic site acceleration.
Large-scale video streaming.
Simple caching rules without complex routing.
They can be combined: Place Front Door in front of CDN to add routing and WAF, while CDN caches static content. However, this adds latency due to extra hop. Typically, you use one or the other based on primary need.
Interaction with Traffic Manager and Application Gateway
Traffic Manager is DNS-based (layer 3/4) and does not inspect HTTP headers. It routes by DNS response only. Front Door is layer 7 and can route by URL path, cookies, etc.
Application Gateway is a regional layer 7 load balancer within a single region. Front Door is global across regions. You can place Application Gateway behind Front Door for regional load balancing and WAF.
Default Values and Timers
Front Door health probe interval: 30 seconds (default), can be set between 5 and 120 seconds.
Front Door unhealthy threshold: 3 consecutive failures (not configurable).
Front Door session affinity cookie timeout: 30 minutes of inactivity (not configurable).
CDN default cache expiration: 7 days for static files, but origin Cache-Control header takes precedence.
CDN purge limit: 50 paths per minute per subscription.
CDN standard Microsoft SKU does not support custom rules for caching (only global settings). Verizon SKU supports rules engine.
Step-by-Step: Configuring Front Door with Two Backend Pools
Create Front Door profile with two backend pools: one for production App Service, one for staging.
Add frontend host with custom domain (e.g., www.myapp.com) and configure SSL certificate (Azure Key Vault or Front Door managed).
Create routing rules: Rule 1 matches /api/* and routes to production pool with priority 1. Rule 2 matches /* and routes to production pool with priority 2 (catch-all).
Configure health probes for each pool: probe path /health, interval 30 seconds.
Enable caching for static content: add caching rule for /images/* with cache duration 1 hour.
Apply WAF policy to frontend host: enable managed rule sets for SQL injection and XSS.
Test failover: stop the production backend, observe that Front Door marks it unhealthy after 3 probes (90 seconds) and routes traffic to staging (if configured) or returns 503.
Common Pitfalls
Misconfigured health probes: If the probe path returns 200 but the application is broken, Front Door will still route traffic. Always probe a specific health endpoint.
Caching dynamic content: If you cache API responses, users may get stale data. Use Cache-Control: no-cache for dynamic endpoints.
Session affinity not working: Ensure the backend is configured to honor the ARRAffinity cookie. If you have multiple instances, they must share session state (e.g., Redis cache).
SSL certificate mismatch: When using custom domain, the certificate must match the domain name. Front Door managed certificates auto-renew but require domain validation.
Create Front Door Profile
Use Azure portal, CLI, or PowerShell to create a Front Door resource. Specify the resource group, name, and pricing tier (Standard or Premium). Standard includes WAF and routing; Premium adds private link support. Under the hood, this provisions a global anycast endpoint at Microsoft edge POPs. The profile is the container for all frontend hosts, backend pools, and routing rules.
Configure Backend Pools
Define one or more backend pools containing backend addresses (e.g., App Service, VM, Storage). Each backend can have a weight and priority. For each pool, configure health probe settings: path (e.g., /health), protocol (HTTP/HTTPS), interval (default 30 sec), and timeout (default 5 sec). Also configure load balancing settings: sample size (default 4) and successful samples required (default 3). These determine how many successful probes are needed to consider a backend healthy.
Add Frontend Host and Custom Domain
Create a frontend endpoint with a host name (e.g., myapp.azurefd.net). Optionally add a custom domain (e.g., www.contoso.com) and configure HTTPS. For custom domain, you must validate ownership via DNS TXT record or CNAME. Front Door can automatically manage SSL certificates via Azure Key Vault or provide a Front Door managed certificate (free, auto-renewed). The SSL handshake occurs at the edge, not at the backend, reducing backend load.
Create Routing Rules
Define routing rules that map a frontend host and path pattern to a backend pool. Rules are evaluated in order; the first match wins. You can specify accepted protocols (HTTP, HTTPS), patterns (e.g., /api/*, /images/*), and URL rewrite/redirect actions. For example, a rule can redirect HTTP to HTTPS, or rewrite /api/v1/* to /api/*. You can also enable caching per rule with specific cache duration.
Apply WAF Policy
Associate a Web Application Firewall policy with the Front Door profile or a specific frontend host. WAF policies include managed rule sets (e.g., Microsoft_DefaultRuleSet_2.1) and custom rules. Managed rules block common attacks like SQL injection and XSS. You can set the policy to Detection (log only) or Prevention (block). WAF inspection happens at the edge, before the request reaches your backend, reducing attack surface.
Enterprise Scenario 1: Global E-commerce Platform
A large e-commerce company with users worldwide deploys Azure Front Door to route traffic to two regional backend deployments: one in US East (primary) and one in West Europe (secondary). They use latency-based routing to send users to the nearest healthy backend. The platform serves both dynamic API calls and static images. They configure caching rules: for /images/*, cache for 24 hours; for /api/*, no caching. They also enable WAF to block SQL injection attempts. During a regional outage, Front Door automatically fails over to the secondary region within 90 seconds (3 health probe intervals). The company monitors Front Door metrics (request count, latency, health probe status) in Azure Monitor. Misconfiguration: Initially, they set the health probe path to the root '/' which returned a 200 even when the database was down, causing traffic to be sent to a broken backend. They fixed it by creating a dedicated /health endpoint that checks database connectivity.
Enterprise Scenario 2: Media Streaming Service
A video streaming service uses Azure CDN from Verizon to deliver video files (MP4, HLS) to millions of users. They set up a CDN endpoint with origin pointing to Azure Blob Storage. They enable compression for text files and set cache expiration to 7 days for video files. To handle live streaming, they use dynamic site acceleration (DSA) which optimizes TCP and route to reduce latency. They also implement geo-filtering to block content in restricted countries. Common issue: When they updated video files, users still saw old versions because cache hadn't expired. They now use CDN purge to clear cache for specific files after updates. Purge is limited to 50 paths per minute, so they use wildcard purges sparingly.
Enterprise Scenario 3: Multi-region SaaS Application
A SaaS provider combines Front Door and CDN. They use Front Door for global load balancing and routing to regional App Services. For static assets (JavaScript, CSS), they use Azure CDN from Microsoft with a custom domain. They configure Front Door to forward requests for /static/* directly to the CDN endpoint (by setting the backend to the CDN endpoint). This offloads static content delivery from the App Service. However, they found that double caching (Front Door and CDN) caused issues with cache invalidation. They resolved by disabling caching on Front Door for the /static/* rule and relying solely on CDN. Performance improved by 40% for static assets.
What AZ-104 Tests on Front Door and CDN
AZ-104 objective 4.2 covers "Configure and manage Azure Front Door and CDN profiles." Exam questions focus on:
Differences between Front Door, Traffic Manager, Application Gateway, and CDN.
Routing methods: latency, priority, weighted.
Health probe configuration: intervals, thresholds, paths.
Caching behavior: default durations, cache rules, purging.
WAF integration with Front Door.
Custom domain and SSL certificate management.
CDN SKUs (Standard Microsoft, Standard/Premium Verizon) and their features.
Common Wrong Answers and Why
"Front Door uses DNS-based routing like Traffic Manager." Wrong. Front Door uses Anycast and layer 7 routing, not DNS. Traffic Manager uses DNS responses. Candidates confuse because both are global.
"CDN can cache dynamic API responses by default." Wrong. CDN only caches static content unless dynamic site acceleration is used. API responses typically have Cache-Control: no-cache, so CDN will not cache them. Candidates assume CDN caches everything.
"Front Door requires a public IP address for each backend." Wrong. Backends can be private IPs if Front Door is integrated with Private Link (Premium SKU). Standard SKU requires public endpoints. Candidates think backends must always be internet-accessible.
"You can use Front Door as a regional load balancer." Wrong. Front Door is global; for regional, use Application Gateway. Candidates confuse scope.
Specific Numbers and Terms
Health probe interval: 30 seconds default, range 5-120 seconds.
Unhealthy threshold: 3 consecutive failures (not configurable).
Session affinity timeout: 30 minutes of inactivity.
CDN purge limit: 50 paths per minute per subscription.
CDN default cache: 7 days for static files.
Front Door routing methods: Latency, Priority, Weighted.
WAF SKUs: Front Door Standard includes WAF; Premium includes Private Link.
Custom domain validation: CNAME or TXT record.
Edge Cases
Multiple routing rules with overlapping paths: The first matching rule wins. If you have a rule for /api/* and another for /*, the /api/* rule must be listed first.
Health probe for HTTPS backends: If your backend uses HTTPS with a self-signed certificate, Front Door will consider it unhealthy because it cannot validate the certificate. Use a trusted certificate or disable certificate validation (not recommended).
Session affinity with multiple backend pools: If a user is routed to one pool and then a rule changes, they might lose affinity. Session affinity is per backend pool, not global.
CDN purge after updating origin: If you purge but the origin still has stale content due to CDN's own caching (e.g., origin is also behind a CDN), you need to purge the origin CDN as well.
Eliminating Wrong Answers
When you see a question about global routing with path-based rules, eliminate Traffic Manager and Application Gateway. Traffic Manager cannot inspect paths; Application Gateway is regional. If the question mentions caching static content, choose CDN over Front Door unless it also requires routing. If it mentions WAF, Front Door is likely the answer (though Application Gateway also has WAF, but it's regional). Pay attention to keywords like "global," "path-based," "cookie affinity," and "SSL offload" which point to Front Door.
Front Door is a global layer 7 load balancer; CDN is a content caching service.
Front Door supports path-based routing, session affinity, SSL offload, and WAF.
CDN caches static content based on Cache-Control headers; default cache duration is 7 days.
Health probe interval default is 30 seconds; unhealthy threshold is 3 failures (90 seconds).
Front Door routing methods: latency, priority, weighted.
CDN purge limit: 50 paths per minute per subscription.
Custom domains require DNS validation via CNAME or TXT record.
Front Door Standard includes WAF; Premium adds Private Link support.
These come up on the exam all the time. Here's how to tell them apart.
Azure Front Door
Global layer 7 load balancer with routing rules based on URL path, host, headers, and cookies.
Supports WAF integration for security at the edge.
Provides session affinity using ARRAffinity cookie.
Can perform SSL offload and URL rewrite/redirect.
Best for dynamic content and multi-region failover scenarios.
Azure CDN
Content delivery network optimized for caching static content at edge POPs.
Does not include WAF by default (can be added separately).
No session affinity; each request may hit different cache nodes.
Supports compression, geo-filtering, and purge operations.
Best for static assets like images, videos, and CSS files.
Front Door Routing (Latency)
Routes traffic to the backend with the lowest latency from the client's POP.
Useful for global distribution where you want users to reach the nearest healthy backend.
Requires health probes to ensure backend is healthy before considering latency.
No explicit primary/backup; all backends are active.
Latency is measured periodically by Front Door POPs.
Front Door Routing (Priority)
Routes traffic to the highest priority backend (lowest number) that is healthy.
Useful for active-passive scenarios, e.g., primary region with secondary as failover.
If primary fails, traffic goes to next priority backend.
Backends can have different weights within same priority for weighted distribution.
Priority is static; does not consider latency.
Mistake
Front Door and CDN are the same service with different names.
Correct
They are distinct services. Front Door is a global layer 7 load balancer with routing, WAF, and SSL offload. CDN is a content caching service optimized for static content. They can be used together but serve different purposes.
Mistake
Front Door can load balance TCP/UDP traffic.
Correct
Front Door only handles HTTP/HTTPS traffic (layer 7). For TCP/UDP, use Traffic Manager or Load Balancer.
Mistake
CDN caches all content by default.
Correct
CDN only caches content that is cacheable based on Cache-Control headers. Dynamic content with no-cache or private directives is not cached. You must configure caching rules to override.
Mistake
You must use a custom domain with Front Door.
Correct
Front Door provides a default *.azurefd.net domain. Custom domains are optional but recommended for production.
Mistake
Health probes must use the same port as the application.
Correct
Health probes can use a different port and path. For example, you can probe port 443 while the application runs on port 8080.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Front Door operates at layer 7 (HTTP/HTTPS) and can route based on URL path, headers, and cookies. It provides SSL offload, WAF, and session affinity. Traffic Manager operates at DNS level (layer 3/4) and routes based on DNS responses only. Traffic Manager cannot inspect HTTP headers or paths. Use Front Door for granular routing and security; use Traffic Manager for simple DNS-based traffic distribution.
Yes. You can add a custom domain to a CDN endpoint. You need to validate domain ownership by creating a CNAME record from your domain to the CDN endpoint hostname (e.g., cdnverify.azureedge.net). After validation, you can enable HTTPS with a certificate (CDN managed or your own).
Use the CDN purge feature. You can purge by full path (e.g., /images/logo.png) or wildcard (e.g., /images/*). Purge is immediate but may take a few minutes to propagate globally. There is a limit of 50 purge requests per minute per subscription. Alternatively, you can change the file name or version (cache-busting) to avoid cache issues.
Yes, Azure Front Door supports WebSocket traffic. WebSocket connections are proxied through Front Door to the backend. However, Front Door does not cache WebSocket traffic. Ensure your backend supports WebSocket and that no intermediary is blocking it.
Azure Front Door has two tiers: Standard and Premium. Standard includes global load balancing, SSL offload, path-based routing, and WAF. Premium adds Private Link support, enhanced security, and more advanced WAF features. Pricing is based on outbound data transfer and rule evaluations. CDN pricing varies by SKU (Microsoft, Verizon) and is based on data transfer and requests.
Yes, as long as the on-premises servers are accessible via public internet or via a VPN/ExpressRoute with proper routing. For private connectivity, use Front Door Premium with Private Link to access Azure-hosted backends privately. For on-premises, you can expose a public endpoint or use a reverse proxy.
Check that the backend is responding on the probe port and path. Ensure the backend firewall allows traffic from Front Door's IP ranges (downloadable from Azure). Verify that the probe URL returns a 200 status. If using HTTPS, the backend must have a valid certificate (not self-signed). Check Front Door metrics for health probe status.
You've just covered Azure Front Door and CDN Profiles — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?