This chapter covers Azure Front Door, a global application delivery network and load balancer that optimizes traffic routing, accelerates content delivery, and enhances security for web applications. For AZ-900, this falls under Objective 2.3 (Describe core Azure architecture services) and constitutes approximately 5-10% of the exam. Understanding Front Door is critical because it integrates multiple Azure services—load balancing, web application firewall (WAF), content delivery network (CDN), and SSL termination—into a single, globally distributed solution.
Jump to a section
Imagine you run a chain of coffee shops in New York, London, and Tokyo. Customers worldwide visit your website to order coffee. Without a smart system, a customer in Berlin might be routed to the New York server, causing slow load times. Azure Front Door acts like a global traffic director. When a customer clicks your site, Front Door instantly checks their location, the health of each regional server (coffee shop), and the fastest route. It then directs the customer to the nearest available shop—say, London—reducing latency. But it doesn't stop there. If the London shop has a power outage, Front Door reroutes future customers to New York or Tokyo automatically. It also caches popular menu items (like the espresso blend) at edge locations closer to customers, so they don't have to travel all the way to a shop. Plus, it protects against DDoS attacks, like a bouncer checking IDs at the door. The mechanism is proactive: it continuously monitors server health and network paths, using anycast to route traffic to the closest healthy endpoint. This isn't just a simple redirect; it's a dynamic, intelligent orchestration based on real-time conditions.
What is Azure Front Door and What Business Problem Does It Solve?
Azure Front Door is a global, scalable entry point that uses Microsoft's global edge network to route HTTP/HTTPS traffic to your application endpoints. It solves the problem of delivering web applications with low latency and high availability to users worldwide. Without Front Door, a company with a single regional server would suffer slow load times for distant users. If that server fails, the entire app goes down. Front Door provides global load balancing, SSL offload, path-based routing, and a built-in web application firewall (WAF) to protect against common web exploits. It is a Layer 7 (application layer) load balancer, meaning it can make routing decisions based on HTTP headers, URL paths, cookies, or client IP addresses.
How It Works — Step-by-Step Mechanism
User Request: A user types your domain (e.g., www.contoso.com) into their browser. DNS resolves the domain to a Front Door frontend IP (anycast address).
Anycast Routing: Front Door uses anycast so that the request is routed to the nearest Microsoft edge point of presence (PoP). There are over 100 PoPs worldwide.
Traffic Inspection: The Front Door instance at the edge inspects the request — HTTP method, URL path, headers, cookies, and client IP.
Rule Evaluation: The request is matched against routing rules you define. For example, requests to /api/* go to a specific backend pool (e.g., App Service in West US), while /* goes to a static website in Azure Storage.
Health Probe Check: Front Door has probes that continuously check the health of each backend (e.g., an HTTP 200 response). Only healthy backends receive traffic.
Load Balancing: Among healthy backends, Front Door selects one using a load-balancing method (latency-based, priority, or weighted).
SSL Termination: Front Door terminates the SSL connection at the edge, decrypts the request, and forwards it to the backend over HTTP or HTTPS (re-encrypting if needed).
Caching: If enabled, Front Door caches static responses at the edge. Subsequent requests for the same content are served from cache, reducing load on the backend.
WAF Inspection: Before forwarding, the request passes through the WAF, which checks for SQL injection, XSS, and other attacks. Malicious requests are blocked.
Response: The backend processes the request and sends the response back to Front Door, which then forwards it to the user, optionally caching it.
Key Components, Tiers, and Pricing Models
Azure Front Door has two tiers: Standard and Premium. The Standard tier includes global load balancing, SSL termination, path-based routing, caching, and basic WAF (custom rules). The Premium tier adds managed WAF rule sets (OWASP), bot protection, private link support, and advanced security features. Pricing is based on outbound data transfer and rules processed. There is no upfront cost; you pay for what you use.
Frontend Host: The public DNS name (e.g., myapp-frontend.azurefd.net) or custom domain.
Backend Pool: A group of backend endpoints (App Services, Storage, VMs, etc.) with a load-balancing method.
Routing Rule: Maps a domain/path to a backend pool and defines caching, SSL, and WAF settings.
Health Probe: Configurable probe (interval, path, protocol) to check backend health.
WAF Policy: A set of rules (managed or custom) to filter malicious traffic.
Comparison to On-Premises Equivalent
On-premises, you might use a hardware load balancer like F5 BIG-IP or Citrix ADC. These are single-region, require manual scaling, and lack global anycast routing. Azure Front Door is cloud-native, globally distributed, and integrates with Azure services. It also includes a CDN and WAF, which on-premises would require separate appliances. The trade-off is that Front Door only works for HTTP/HTTPS traffic, whereas on-premises load balancers can handle any TCP/UDP protocol.
Azure Portal and CLI Touchpoints
In the Azure portal, you create a Front Door profile under "Front Doors and CDN profiles." You then configure frontend hosts, backend pools, routing rules, and health probes. The CLI allows scripting:
az network front-door create --name myFrontDoor --resource-group myRG \
--backend-address myapp.azurewebsites.netTo add a routing rule:
az network front-door routing-rule create --front-door-name myFrontDoor \
--name apiRule --resource-group myRG --frontend-endpoints myFrontend \
--accepted-protocols Https --patterns /api/* --route-to-backend-pool myAPIPoolARM templates and Bicep are also supported for infrastructure as code.
Create a Front Door Profile
In the Azure portal, search for 'Front Door' and click 'Create'. Choose a subscription, resource group, and a globally unique name for the Front Door profile. Select the tier (Standard or Premium). The profile acts as the container for all routing rules, backend pools, and security policies. Behind the scenes, Azure deploys the Front Door configuration across multiple edge PoPs. The name becomes part of the default frontend host (e.g., myfrontdoor.azurefd.net). Note: You cannot change the tier after creation.
Configure Frontend Host and Domain
Add a frontend host — either the default *.azurefd.net domain or a custom domain (e.g., www.contoso.com). For custom domains, you must validate ownership by adding a CNAME or TXT record in your DNS. Front Door will automatically provision an SSL certificate for the custom domain (if using Front Door-managed cert) or you can upload your own. The frontend host is the public endpoint that users connect to.
Define Backend Pools
A backend pool is a group of backend resources (e.g., App Services, Storage, VMs) that serve your application. You specify the load-balancing method: Latency (routes to the backend with lowest latency), Priority (activates a primary and failover backends), or Weighted (distributes traffic based on weights). You also configure health probes: set the path (e.g., /health), interval (default 30 seconds), and protocol (HTTP or HTTPS). Only backends that respond with 200 OK are considered healthy.
Create Routing Rules
Routing rules map incoming requests (based on domain, path pattern, and protocols) to a backend pool. For example, a rule might say: if domain = www.contoso.com and path starts with /api, route to the 'API Backend Pool'. You can also enable caching for static content, set forwarding protocol (HTTP or HTTPS), and associate a WAF policy. Rules are evaluated in order; the first matching rule is applied.
Enable Web Application Firewall
In the Premium tier, you can attach a WAF policy to your Front Door. The WAF can be in Detection mode (log only) or Prevention mode (block). Managed rule sets like OWASP 3.2 protect against SQL injection, XSS, and other common attacks. You can also add custom rules to allow or block traffic based on IP, geo-location, or request parameters. The WAF runs at the edge, blocking malicious traffic before it reaches your backend.
Test and Monitor
After configuration, test by navigating to your frontend host. Use Azure Monitor to view metrics like request count, latency, and WAF blocked requests. Set up alerts for backend health degradation. Front Door also logs requests that you can send to Log Analytics for deeper analysis. Common issues include misconfigured health probes (e.g., wrong path) causing backends to be marked unhealthy, or caching stale content.
Scenario 1: Global E-Commerce Platform A retail company with customers in North America, Europe, and Asia runs an e-commerce site on Azure App Services deployed in three regions: West US, West Europe, and Southeast Asia. Without Front Door, users in Asia experience high latency because DNS might route them to the US. The company deploys Azure Front Door with latency-based routing. Now, a user in Tokyo is automatically directed to the Southeast Asia backend. If that region experiences an outage, Front Door reroutes to West Europe. The company also caches product images and CSS at the edge, reducing load on the App Services. They enable WAF to block SQL injection attempts. Cost: data transfer costs for outbound traffic from the edge, plus a small per-rule fee. A common mistake is not setting health probes correctly — if the probe path is / instead of /health, the backend might be marked unhealthy if the root page is dynamic and slow to respond.
Scenario 2: Multi-Region API for Financial Services A fintech company exposes APIs to partners globally. They need low latency and high security. They deploy Azure Front Door Premium with path-based routing: /api/v1/* goes to a backend pool of VMs in US East, /api/v2/* goes to a containerized app in UK South. They use priority routing: the primary backend is US East, with UK South as failover. The WAF blocks requests from countries where they don't operate. They also use private link to connect Front Door to their VNets, so traffic never goes over the public internet. The challenge: they initially set the health probe interval too short (5 seconds), causing false positives. They changed it to 30 seconds. Also, they forgot to enable SSL termination at Front Door, causing double encryption overhead.
Scenario 3: Media Streaming Platform A streaming service uses Azure Front Door to route traffic to origin servers and cache video segments at the edge. They use query-string caching to differentiate video quality (e.g., ?quality=1080p). However, they misconfigured the cache duration — set too long, so users saw stale content after a new episode was uploaded. They fixed it by setting a shorter cache duration for video segments and using cache purging to invalidate old content. They also use WAF to block bots that were scraping their content.
Exam Objective 2.3: Describe core Azure architecture services includes Azure Front Door. The exam expects you to know:
Front Door is a global load balancer for HTTP/HTTPS traffic (Layer 7).
It supports path-based routing, SSL termination, caching, and WAF.
It uses anycast to route users to the nearest edge PoP.
Health probes monitor backend availability.
Two tiers: Standard (basic) and Premium (advanced security and private link).
Common Wrong Answers and Why Candidates Choose Them: 1. "Front Door is the same as Azure Traffic Manager." Wrong because Traffic Manager is DNS-based (Layer 3/4) and does not inspect HTTP paths or terminate SSL. Candidates confuse them because both route global traffic. Remember: Traffic Manager = DNS traffic routing; Front Door = HTTP/HTTPS application delivery with WAF and caching. 2. "Front Door only works with Azure App Service." Wrong because it supports any HTTP/HTTPS backend, including on-premises servers via private link. Candidates assume it's Azure-only. 3. "Front Door Premium is always needed for WAF." Wrong because Standard includes a basic WAF (custom rules). Premium adds managed rule sets and bot protection. Candidates think WAF is only Premium. 4. "Front Door caches all content by default." Wrong because caching is optional and must be enabled per routing rule. Default is no caching. Candidates confuse it with Azure CDN.
Specific Terms and Values on the Exam: - "Anycast" appears as the routing method. - "Health probe" interval default is 30 seconds. - "Path-based routing" is a key feature. - "SSL offload" or "SSL termination" at the edge. - "WAF" with OWASP rules. - "Private link" support only in Premium.
Edge Cases and Tricky Distinctions: - Front Door vs. Application Gateway: Application Gateway is regional (single region), while Front Door is global. Application Gateway can handle HTTP/HTTPS and also Layer 4 (e.g., SQL Server) via its v2 SKU? No, Application Gateway is Layer 7 only. The exam may ask which service to use for global routing: answer is Front Door. - Caching behavior: Front Door caches based on cache-control headers from the backend. If the backend sends Cache-Control: no-cache, Front Door will not cache. - Session affinity: Front Door supports session affinity via a cookie (ARRAffinity), but it is not enabled by default.
Memory Trick: "Front Door is the global application delivery superhero: it routes (Layer 7), protects (WAF), accelerates (caching), and secures (SSL)." Decision tree: If you need global HTTP load balancing with security, choose Front Door. If you need DNS-based routing (no HTTP inspection), choose Traffic Manager. If you need regional load balancing with SSL termination, choose Application Gateway.
Azure Front Door is a global Layer 7 load balancer that routes HTTP/HTTPS traffic to the nearest healthy backend using anycast.
It supports path-based routing, SSL termination, caching, and a web application firewall (WAF).
Health probes monitor backend health with a default interval of 30 seconds; only healthy backends receive traffic.
Two tiers: Standard (basic WAF, custom rules) and Premium (managed WAF rules, bot protection, private link).
Front Door can use custom domains with automatic SSL certificate provisioning via Azure-managed certificates.
Pricing is based on outbound data transfer and number of rules processed; no upfront costs.
Unlike Traffic Manager, Front Door can inspect HTTP headers and paths, making it suitable for microservices with path-based routing.
Caching is optional and must be configured per routing rule; it respects cache-control headers from the backend.
These come up on the exam all the time. Here's how to tell them apart.
Azure Front Door
Layer 7 (HTTP/HTTPS) load balancer
Anycast routing to nearest edge PoP
Supports path-based routing, SSL termination, caching, WAF
Health probes check application-level health (HTTP 200)
Global service with per-rule pricing
Azure Traffic Manager
DNS-based (Layer 3/4) traffic routing
Directs clients via DNS responses
No HTTP inspection, no SSL, no caching, no WAF
Health probes check endpoint availability (TCP/HTTP)
Global service with per-million DNS query pricing
Azure Front Door
Global (multi-region) load balancing
Anycast routing to edge
Built-in CDN caching
WAF with managed rules (Premium)
Supports private link (Premium)
Azure Application Gateway
Regional (single region) load balancing
Routes within a region
No CDN caching (can be combined with Azure CDN)
WAF with managed rules (v2 SKU)
No private link support
Mistake
Azure Front Door is just a global load balancer like Traffic Manager.
Correct
Front Door is a Layer 7 application delivery controller that can inspect HTTP headers and paths, terminate SSL, cache content, and apply WAF rules. Traffic Manager is DNS-based (Layer 3/4) and does not inspect HTTP traffic.
Mistake
Front Door automatically caches all responses.
Correct
Caching is optional and must be enabled per routing rule. Front Door respects cache-control headers from the backend. Without explicit caching rules, responses are not cached.
Mistake
You must use a custom domain with Front Door.
Correct
You can use the default *.azurefd.net domain. Custom domains are optional but recommended for production.
Mistake
Front Door Premium is required for any WAF functionality.
Correct
Standard tier includes a basic WAF with custom rules. Premium adds managed rule sets (OWASP) and bot protection.
Mistake
Front Door can only route to Azure backends.
Correct
Front Door can route to any HTTP/HTTPS endpoint, including on-premises servers, as long as they are reachable over the internet or via private link (Premium).
Azure Front Door is a Layer 7 (HTTP/HTTPS) global load balancer that can inspect request paths, headers, and cookies, and provides SSL termination, caching, and WAF. Traffic Manager is DNS-based (Layer 3/4) and routes traffic by returning different DNS responses; it cannot inspect HTTP traffic. For exam AZ-900, remember: Front Door for HTTP/HTTPS application delivery; Traffic Manager for DNS-level traffic distribution.
Yes, Azure Front Door supports WebSocket connections. When a client initiates a WebSocket upgrade request, Front Door forwards the upgrade to the backend and maintains the persistent connection. This is transparent to the user. However, caching is not applied to WebSocket traffic because it is not HTTP-based.
Yes, Azure Front Door can route traffic to any HTTP/HTTPS endpoint that is reachable over the internet. For private connectivity, the Premium tier supports private link, allowing Front Door to connect to endpoints inside a virtual network without exposing them to the internet. This is useful for hybrid scenarios.
Front Door terminates SSL at the edge. You can either use a Front Door-managed certificate (automatically provisioned and rotated) for custom domains, or upload your own certificate. The backend can then communicate over HTTP or HTTPS (with a separate certificate). This offloads SSL processing from your backend servers.
The default health probe interval is 30 seconds. You can configure it between 5 and 300 seconds. A shorter interval detects failures faster but increases probe traffic. The probe sends an HTTP GET request to the configured path (default '/') and expects a 200 OK response.
Yes, but caching is controlled by the backend's cache-control headers. If the backend sends 'Cache-Control: public, max-age=3600', Front Door will cache the response for 3600 seconds. You can also override cache behavior via Front Door's caching rules. For dynamic content that changes frequently, you may want to disable caching or set a short duration.
Standard tier includes global load balancing, SSL termination, path-based routing, caching, and a basic WAF with custom rules. Premium tier adds managed WAF rule sets (OWASP), bot protection, private link support, and advanced security reporting. For exam, know that Premium is for enhanced security and private connectivity.
You've just covered Azure Front Door — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?