This chapter covers Azure Traffic Manager, a DNS-based traffic load balancer that distributes incoming traffic across global Azure regions or external endpoints. Understanding Traffic Manager is crucial for the AZ-900 exam because it is a core networking service under the 'Azure Architecture and Services' domain, which typically accounts for 15-20% of the exam questions. By the end of this chapter, you will grasp how Traffic Manager improves application availability, performance, and resilience through intelligent traffic routing.
Jump to a section
Think of Azure Traffic Manager as a global flight dispatcher for an airline that has multiple hubs (your application endpoints) around the world. When a passenger (user) wants to fly from one city to another, the dispatcher doesn't just blindly send them to the nearest hub. Instead, the dispatcher considers several factors: Which hub has the shortest current queue (lowest latency)? Which hub has available seats (healthy endpoint)? Do we need to route passengers to a specific hub for VIP service (performance or geographic routing)? The dispatcher uses a DNS-based system—like a flight schedule board—that tells the passenger which hub to go to before they even leave home. The passenger's request first hits the dispatcher's DNS server, which responds with the IP address of the best hub based on the chosen routing method. The dispatcher continuously checks the health of each hub via health probes; if a hub is closed due to a storm (failure), the dispatcher stops sending passengers there. This is exactly how Traffic Manager works: it uses DNS to direct user traffic to the most appropriate endpoint based on performance, priority, geographic location, or weighted distribution, and it monitors endpoint health to avoid sending traffic to failed endpoints.
What is Azure Traffic Manager and What Business Problem Does It Solve?
Azure Traffic Manager is a DNS-based traffic load balancer that distributes incoming user traffic across multiple endpoints (such as Azure App Services, VMs, or external websites) hosted in different Azure regions or even on-premises. The primary business problem it solves is ensuring high availability and optimal performance for global applications. For example, a multinational e-commerce site needs to serve users from North America, Europe, and Asia with low latency and without downtime. Without Traffic Manager, all users would hit a single region, causing high latency for distant users and a single point of failure. Traffic Manager allows the application to be deployed in multiple regions and directs each user to the best region based on criteria like lowest latency, geographic proximity, or a weighted distribution.
How It Works — Step-by-Step Mechanism
Traffic Manager operates at the DNS level. Here's the step-by-step flow:
User makes a DNS request: The user types the application's domain name (e.g., app.contoso.com) into their browser. This triggers a DNS query to the internet's DNS system.
DNS resolution reaches Traffic Manager: The domain's DNS records (CNAME or ALIAS) point to the Traffic Manager profile's DNS name (e.g., contoso.trafficmanager.net). The DNS resolver then queries Traffic Manager's DNS servers.
Traffic Manager chooses an endpoint: Based on the configured routing method (Performance, Priority, Weighted, Geographic, Multivalue, or Subnet), Traffic Manager evaluates the health of all endpoints and selects the best one. For Performance routing, it uses the source IP of the DNS resolver to determine the lowest latency region. For Priority, it returns the highest-priority healthy endpoint.
Traffic Manager returns the endpoint IP: The Traffic Manager DNS server responds with the IP address (or CNAME) of the chosen endpoint. The user's browser then connects directly to that endpoint.
Health probes ensure availability: Traffic Manager periodically sends HTTP/HTTPS/TCP health probes to each endpoint. If an endpoint fails to respond (or returns a non-200 status), Traffic Manager marks it as degraded and stops routing traffic to it until it recovers.
Key Components, Tiers, and Pricing
Components: - Traffic Manager profile: A logical container that holds the DNS settings, routing method, endpoint monitoring configuration, and endpoints. - Endpoints: The destinations for traffic, which can be Azure endpoints (App Service, Cloud Service, VMs, etc.), external endpoints (on-premises or other cloud), or nested endpoints (other Traffic Manager profiles). - Routing methods: The algorithm used to select which endpoint to return. There are six methods: Performance, Priority, Weighted, Geographic, Multivalue, and Subnet. - Health probes: Configuration for how often and how to check endpoint health (protocol, port, path, interval, timeout, and number of failures).
Tiers and Pricing: Traffic Manager is a single service without tiers. Pricing is based on:
Number of DNS queries (first 1 billion queries per month free, then $0.40 per million queries).
Number of endpoints monitored (first 100 endpoints free, then $0.75 per endpoint per month).
No upfront costs or licensing.
Comparison to On-Premises Equivalent
On-premises, traffic distribution often uses hardware load balancers (e.g., F5, Citrix ADC) or DNS round-robin. Hardware load balancers are expensive, require maintenance, and are limited to a single data center. DNS round-robin is simple but lacks health checks and intelligent routing. Traffic Manager is a cloud-native, global DNS load balancer that provides health monitoring, multiple routing algorithms, and integration with Azure services, all without managing physical infrastructure.
Azure Portal and CLI Touchpoints
Portal: Navigate to 'Traffic Manager profiles' in the Azure portal. You can create a profile, add endpoints, configure routing method, and set up health probes via a graphical interface.
CLI: Use the az network traffic-manager commands. For example:
# Create a Traffic Manager profile
az network traffic-manager profile create \
--resource-group myResourceGroup \
--name myTMProfile \
--routing-method Performance \
--unique-dns-name myapp \
--monitor-protocol HTTPS \
--monitor-port 443 \
--monitor-path "/health"
# Add an endpoint
az network traffic-manager endpoint create \
--resource-group myResourceGroup \
--profile-name myTMProfile \
--name endpoint1 \
--type azureEndpoints \
--target-resource-id /subscriptions/.../.../sites/myWebAppPowerShell: Use the New-AzTrafficManagerProfile and Add-AzTrafficManagerEndpointConfig cmdlets.
Concrete Business Scenarios
Performance routing for a global SaaS app: A company deploys its app in US East, West Europe, and Southeast Asia. Traffic Manager routes users to the region with the lowest latency based on the DNS resolver's location, ensuring fast load times.
Priority routing for disaster recovery: An enterprise hosts its primary site in US East and a backup in US West. Traffic Manager is configured with Priority routing: endpoint1 (US East) has priority 1, endpoint2 (US West) has priority 2. Traffic always goes to US East unless health probes detect failure, then it fails over to US West.
Weighted routing for A/B testing: A startup wants to test a new feature on 10% of users. They create two endpoints: 'stable' with weight 90 and 'beta' with weight 10. Traffic Manager distributes traffic proportionally, allowing gradual rollout.
Create a Traffic Manager profile
In the Azure portal, search for 'Traffic Manager profiles' and click 'Create'. Provide a name for the profile (this becomes part of the DNS name, e.g., myapp.trafficmanager.net). Choose the routing method (Performance, Priority, Weighted, Geographic, Multivalue, or Subnet). The routing method determines how Traffic Manager selects endpoints. For example, Performance routes users to the endpoint with the lowest latency. You also configure the resource group and location (the location is the region where the profile metadata is stored, not where traffic is routed). Finally, set the DNS TTL (default 300 seconds) which controls how long DNS resolvers cache the response.
Add endpoints to the profile
After creating the profile, navigate to its 'Endpoints' blade and click 'Add'. Choose the endpoint type: 'Azure endpoint' for Azure services (App Service, VMs, etc.), 'External endpoint' for on-premises or other cloud endpoints, or 'Nested endpoint' to chain Traffic Manager profiles. Provide a name, target resource ID (for Azure endpoints) or FQDN (for external), and set the priority (1-1000) or weight (1-1000) depending on routing method. For Geographic routing, assign a geographic region to each endpoint. For Multivalue, you can set the maximum number of endpoints to return per query. Add at least two endpoints for high availability.
Configure health probes
In the Traffic Manager profile's 'Configuration' blade, set the health probe settings: protocol (HTTP, HTTPS, or TCP), port (default 80 or 443), path (for HTTP/HTTPS, e.g., '/health'), interval (default 30 seconds), timeout (default 10 seconds), and number of failures (default 3). Traffic Manager sends probes to each endpoint at the specified interval. If an endpoint fails to respond within the timeout or returns a non-200 status, it counts as a failure. After the configured number of consecutive failures, the endpoint is marked as degraded and removed from DNS responses until it passes a probe again. Ensure your application has a health endpoint that returns 200 OK.
Configure DNS to point to Traffic Manager
To use Traffic Manager, you need to update your custom domain's DNS records. Typically, you create a CNAME record that maps your domain (e.g., app.contoso.com) to the Traffic Manager profile's DNS name (e.g., myapp.trafficmanager.net). If you are using an apex domain (e.g., contoso.com), you may need an ALIAS record if your DNS provider supports it, or use a DNS provider that allows CNAME flattening. Note: Traffic Manager itself does not host the domain; it only responds to DNS queries. After updating DNS, propagation may take up to 48 hours but usually completes within minutes to hours.
Test and monitor the configuration
After configuration, test by accessing your domain from different geographic locations. Use tools like Azure Traffic Manager's built-in 'Monitor' blade to view endpoint health status (Online, Degraded, or CheckingEndpoint). You can also use the 'Metrics' blade to track query counts, endpoint status changes, and probe results. For troubleshooting, check that endpoints are reachable from the internet and that health probes are configured correctly. Common issues: health probe path returns 404, firewall blocks probes from Traffic Manager's IP addresses, or DNS TTL is too long causing slow failover.
Scenario 1: Global E-Commerce Platform
A large e-commerce company, 'ShopGlobal', serves customers worldwide. They deploy their web application in three Azure regions: US East, West Europe, and Southeast Asia. They use Traffic Manager with Performance routing to automatically direct users to the region with the lowest latency. The team configures health probes to check the '/health' endpoint every 30 seconds. During a regional outage in US East, Traffic Manager detects the failure after three consecutive probe failures (90 seconds) and stops returning that endpoint. Users from North America are then routed to West Europe, which has the next best latency. The failover time is acceptable for the business, but they consider reducing the probe interval to 10 seconds for faster detection. Cost: approximately $50/month for 10 million DNS queries and 3 endpoints. A common mistake is not setting up health probes correctly—if the health endpoint doesn't return 200, Traffic Manager marks the endpoint as degraded even if the app is working, causing unnecessary failover.
Scenario 2: Disaster Recovery for Financial Services
A bank, 'SecureBank', uses Traffic Manager with Priority routing for disaster recovery. The primary site is in US East (priority 1) and the secondary is in US West (priority 2). All traffic goes to the primary unless it fails. The bank configures health probes with TCP on port 443 to check if the HTTPS service is listening. During a planned maintenance, they manually disable the primary endpoint in the portal, causing Traffic Manager to route all traffic to the secondary. This allows zero-downtime maintenance. The team also uses nested Traffic Manager profiles to combine geographic routing for the primary site and priority for failover. A common pitfall is forgetting to update the DNS TTL—if set too high (e.g., 3600 seconds), users may still be directed to the failed primary for up to an hour. The bank sets TTL to 60 seconds for faster propagation.
Scenario 3: Multi-Region Media Streaming
A media company, 'StreamFast', uses Traffic Manager with Weighted routing to gradually roll out a new CDN provider. They have two endpoints: 'existing-cdn' with weight 90 and 'new-cdn' with weight 10. Traffic Manager distributes 10% of traffic to the new provider. They monitor performance and error rates; if the new provider performs well, they increase its weight gradually. This approach allows safe migration without impacting most users. A common issue is that weighted routing is based on DNS queries, not user sessions—if a user's DNS resolver caches the response, that user will stick to one endpoint for the TTL duration, which can skew the distribution. The team mitigates by setting a low TTL (60 seconds) and ensuring the resolver respects it.
What AZ-900 Tests on This Objective (Domain: Azure Architecture and Services, Objective 2.3)
The AZ-900 exam expects you to understand that Traffic Manager is a DNS-based traffic load balancer (not a network-level load balancer like Azure Load Balancer or Application Gateway). You need to know the six routing methods: Performance, Priority, Weighted, Geographic, Multivalue, and Subnet. Focus on Performance (routes based on lowest latency), Priority (for failover), and Weighted (for distribution). You should also know that Traffic Manager provides high availability and improved responsiveness by directing traffic to healthy endpoints. The exam may ask about the difference between Traffic Manager and Azure Load Balancer: Traffic Manager works at the DNS level (global), while Load Balancer works at the network layer (regional).
Common Wrong Answers and Why Candidates Choose Them
'Traffic Manager can distribute traffic within a single region.' – This is wrong because Traffic Manager is global; for regional distribution, use Azure Load Balancer. Candidates confuse the two services.
'Traffic Manager uses anycast routing.' – Wrong. Traffic Manager uses DNS, not anycast. Anycast is used by Azure Front Door. Candidates may associate 'traffic' with 'anycast'.
'Traffic Manager requires endpoints to be in the same Azure region.' – Wrong. Endpoints can be in any region or even on-premises. Candidates think of it as a regional load balancer.
'Traffic Manager can load balance TCP/UDP traffic at the network layer.' – Wrong. Traffic Manager is DNS-based; it only returns an IP address. Actual traffic goes directly to the endpoint. Candidates confuse it with Azure Load Balancer.
Specific Terms and Values That Appear on the Exam
DNS-based load balancing – This phrase appears verbatim.
Routing methods: Performance, Priority, Weighted, Geographic, Multivalue, Subnet.
Health probes: HTTP, HTTPS, TCP; interval (30s default), timeout (10s default), number of failures (3 default).
Endpoint types: Azure endpoints, external endpoints, nested endpoints.
SLA: 99.99% availability for Traffic Manager (if configured with at least two endpoints in different regions).
Edge Cases and Tricky Distinctions
Traffic Manager vs. Azure Front Door: Both are global, but Front Door is an application delivery network (Layer 7) with features like SSL offload, URL-based routing, and web application firewall. Traffic Manager is only DNS (Layer 3/4). The exam may present a scenario requiring SSL termination; the answer is Front Door, not Traffic Manager.
Traffic Manager vs. Azure Load Balancer: Load Balancer is regional and Layer 4; Traffic Manager is global and DNS. If the question mentions 'within a region', pick Load Balancer; if 'across regions', pick Traffic Manager.
Multivalue routing: Returns multiple healthy endpoints in a single DNS response; the client chooses randomly. This is rarely tested but can appear.
Subnet routing: Routes traffic based on the source IP subnet (e.g., route all users from a specific corporate IP range to a dedicated endpoint). Useful for testing or internal apps.
Memory Trick for Routing Methods
Use the acronym PPWGM (Performance, Priority, Weighted, Geographic, Multivalue). Subnet is less common. Remember: Performance = speed, Priority = failover, Weighted = percentage split, Geographic = location, Multivalue = multiple choices, Subnet = IP range.
Decision Tree for Wrong Answers
If the question asks for a 'global DNS-based load balancer', the answer is Traffic Manager. If it mentions 'regional load balancing', 'TCP/UDP traffic', or 'internal load balancing', it's Azure Load Balancer. If it mentions 'SSL offload', 'URL-based routing', or 'WAF', it's Azure Front Door. If it mentions 'content delivery' with caching, it's Azure CDN.
Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic globally across endpoints.
There are six routing methods: Performance, Priority, Weighted, Geographic, Multivalue, and Subnet.
Health probes monitor endpoint availability; default interval is 30 seconds, timeout 10 seconds, and 3 failures mark endpoint as degraded.
Traffic Manager supports Azure endpoints, external endpoints, and nested endpoints.
Traffic Manager does not handle network packets; it only responds to DNS queries with an endpoint IP.
The SLA for Traffic Manager is 99.99% when configured with at least two endpoints in different regions.
Traffic Manager is different from Azure Load Balancer (regional, Layer 4) and Azure Front Door (global, Layer 7).
These come up on the exam all the time. Here's how to tell them apart.
Azure Traffic Manager
Global DNS-based load balancer across regions
Routes at the DNS level (Layer 3/4)
Uses routing methods: Performance, Priority, Weighted, etc.
Cannot handle TCP/UDP traffic directly; only returns IP
Supports endpoints in multiple Azure regions or on-premises
Azure Load Balancer
Regional network load balancer (Layer 4)
Routes traffic at the transport layer (TCP/UDP)
Uses rules and probes to distribute traffic within a region
Can load balance any TCP/UDP traffic
Endpoints must be in the same region and virtual network
Azure Traffic Manager
DNS-based global load balancer
No SSL offloading or application layer inspection
Routes based on DNS queries only
No caching or content delivery network (CDN) capabilities
SLA: 99.99% availability
Azure Front Door
Application delivery network (Layer 7)
Supports SSL offloading, URL-based routing, and WAF
Routes based on HTTP/HTTPS request properties
Includes CDN and caching for static content
SLA: 99.99% availability
Mistake
Azure Traffic Manager is a network load balancer that distributes incoming traffic at the network layer.
Correct
Traffic Manager is a DNS-based load balancer. It does not inspect or redirect network packets; it only responds to DNS queries with an IP address of the best endpoint. Actual traffic flows directly from the client to the endpoint.
Mistake
Traffic Manager can only route traffic to Azure endpoints.
Correct
Traffic Manager supports three endpoint types: Azure endpoints (App Service, VMs, etc.), external endpoints (on-premises or other cloud), and nested endpoints (other Traffic Manager profiles).
Mistake
Traffic Manager automatically distributes traffic evenly across endpoints without configuration.
Correct
Traffic Manager uses a routing method that must be configured. For example, Weighted routing can achieve even distribution if weights are equal, but Priority routing sends all traffic to the highest-priority healthy endpoint.
Mistake
Traffic Manager can handle SSL termination and URL-based routing.
Correct
Traffic Manager operates at the DNS level and does not inspect HTTP headers or terminate SSL. For SSL offloading and URL-based routing, you need Azure Application Gateway or Azure Front Door.
Mistake
Traffic Manager provides a static IP address for the application.
Correct
Traffic Manager uses a DNS name (e.g., myapp.trafficmanager.net). The IP addresses returned are those of the endpoints, which can change. For a static IP, use Azure Front Door or Application Gateway.
Azure Traffic Manager is a global DNS-based load balancer that directs traffic across regions, while Azure Load Balancer is a regional network load balancer that distributes traffic within a single region. Traffic Manager works at the DNS level (Layer 3/4) and returns an IP address; Load Balancer works at the transport layer (Layer 4) and forwards actual network packets. Use Traffic Manager for multi-region failover and performance routing; use Load Balancer for distributing traffic within a virtual network.
With Performance routing, Traffic Manager uses the source IP address of the DNS resolver to determine the geographic location of the user. It then maintains a table of network latency between Azure regions and global locations. When a DNS query arrives, it returns the endpoint in the region that has the lowest latency for that user's location. This does not measure real-time latency; it uses historical latency data from Azure.
Yes, Traffic Manager supports external endpoints, which can be on-premises servers or services hosted in other clouds. You provide the FQDN of the external endpoint, and Traffic Manager will health probe it and include it in routing. Ensure the on-premises endpoint is accessible from the internet and that firewalls allow probes from Traffic Manager's IP range.
Failover time depends on health probe settings and DNS TTL. By default, probes occur every 30 seconds, and after 3 failures (90 seconds), the endpoint is marked degraded. However, DNS resolvers cache the previous response for the TTL duration (default 300 seconds). So total failover time can be up to 90 seconds (probe detection) + 300 seconds (DNS cache) = 390 seconds. To reduce failover time, lower the TTL to 60 seconds and reduce probe interval to 10 seconds.
No, Traffic Manager does not support sticky sessions because it operates at the DNS level. Each DNS query may return a different endpoint based on routing method and health. For session affinity, use Azure Application Gateway (with cookie-based affinity) or Azure Load Balancer (with source IP affinity).
Traffic Manager pricing is based on the number of DNS queries and endpoints monitored. The first 1 billion DNS queries per month are free, then $0.40 per million queries. The first 100 endpoints are free, then $0.75 per endpoint per month. There is no upfront cost. For a typical small application with 10 million queries and 3 endpoints, the cost is approximately $4 per month.
Yes, Geographic routing allows you to route traffic based on the geographic location of the DNS resolver (not the user directly). You can map regions (e.g., 'Europe', 'North America') to specific endpoints. This is useful for data sovereignty or regional compliance. Note that it uses the resolver's IP, which may not exactly match the user's location if the resolver is in a different region.
You've just covered Azure Traffic Manager — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?