The underlying technology of Azure Front Door has facilitated scaling and protection for many popular Microsoft services including Office 365, Xbox, LinkedIn, Bing, and Teams.
Azure Front Door can help transform enterprise applications into robust personalized modern applications. These applications boast high performance and content that reaches a global audience. Let us learn a little bit more about Azure Font Door.
Go through Intellipaat’s Azure Training Video:
What is Azure Front Door?
It is an application delivery network (ADN) as a service that offers various Layer 7 load-balancing capabilities for applications. The service is highly available, scalable, and fully managed by Azure.
Azure Front Door offers dynamic site acceleration (DSA) as well as global load balancing with near real-time failover. For enterprises that have a global reach, the performance of their web applications is greatly impacted by the proximity of the consumer.
For a better and more consistent experience, enterprises may use content delivery networks (CDNs) with several distribution points and deliver content to consumers rapidly because of optimized connections and proximity.
Azure Front Door service leverages the anycast protocol that goes beyond providing traditional CDN capabilities and offers advanced security capabilities including DDoS attack prevention.
The infrastructure for this globally distributed multi-tenant service is shared across all its customers. Creating a Front Door profile will define a specific configuration as per the requirements of an application. Changes made to a Front Door do not impact other Front Door configurations.
Core Capabilities of Azure Front Door
The following are the core capabilities of Azure Front Door:
- Application and API acceleration through the implementation of anycast to optimize the connectivity to Azure application services and reduce the latency for end users.
- SSL offload eliminates expensive decryption computation by endpoints and moves the function higher up in the stack.
- Global HTTP load balancing enables the construction of geo-distributed services by developers and allows Azure to determine endpoint availability and intelligent routing to local and available endpoints.
- Web Application Firewall or WAF at edge web application filtering protects against DDoS attacks or malicious users at the edge without disrupting backend services.
Features Supported by Azure Front Door
The key features of the Azure Front Door are mentioned below:
- Accelerated performance of applications with the help of split-TCP-based anycast protocol
- Hosting of multiple websites for efficient application infrastructure
- Cookie-based session affinity
- Intelligent health probe monitoring for backend resources
- URL-path-based routing for requests
- SSL offloading and certificate management
- Define custom domain
- Application security with integrated WAF
- Using URL redirect; redirects HTTP traffic to HTTPS
- Custom forwarding path with URL rewrite
- Native support of end-to-end IPv6 connectivity and HTTP/2 protocol
Azure Front Door Architecture
Let us now understand the routing architecture of Azure Front Door. When it receives client requests, it will either answer them if caching is enabled or forward them to the right application backend as a reverse proxy.
Creating an Azure Front Door Architecture involves creating a frontend host. This acts as a global endpoint for the application. A backend pool is then required for configuring the backend services such as an app service web application. Finally, routing rules need to be established to route traffic from the frontend host configuration to the backend pool.
Additionally, load balancing functions send periodic heartbeats to the backend pool. This helps in the detection of the online status of endpoints. If an endpoint is not available, an alternative endpoint will be used to route the traffic.
How Does Azure Front Door Work?
Azure Front Door helps provide fast, secure, and scalable access to web applications. It also helps protect cloud-based apps and provides high-bandwidth content. How exactly does it do that? Let us take a look!
It optimizes the time required to access the content. In the following image, users are connecting to the content that is hosted in a custom domain. Azure Front Door is employed at several edge locations. Its CDN features optimize the access to backend content with access security provided by the firewall.
Routing performed by Azure Front Door depends on the routing method selected and the backend health. It supports four routing methods:
- Latency: Ensures requests are sent to the lowest latency backends within the acceptable sensitivity range
- Priority: Implements administrator-assigned priorities to the backends whenever a primary backend needs to be configured to service all traffic
- Weighted: Uses administrator-assigned weights to backends when traffic needs to be distributed across a set of backends
- Session Affinity: Facilitates configuration of session affinity for frontend hosts or domains, ensuring requests from the same end-user are sent to the same backend
Azure Front Door performs backend health monitoring by periodically assessing the health of all configured backends. The responses from these backends determine the most responsive backend resources to route client requests.
Azure Front Door’s web application firewall (WAF) capabilities protect web applications from exploits and vulnerabilities. App security management can be quite challenging as web applications are oftentimes targeted.
It runs at the network’s edge, where it is close to potential attacks to prevent them from getting into the network. The firewall is based on policies that can be associated with multiple instances of Azure Front Door. These firewall policies consist of:
- Managed rule sets, a collection of pre-configured rules
- Custom rules that can be added
A rule consists of:
- A condition to determine whether a rule applies to traffic
- A priority to determine the order of the rules being processed
- An action such as Allow, Block, Log, or Redirect
- A mode out of the following two:
- Detection: WAF only monitors and logs without any other action
- Prevention: WAF takes the defined action
Note: If present, custom rules are processed first.
Get 100% Hike!
Master Most in Demand Skills Now!
When Is Azure Front Door Used?
The following Azure Front Door stock-keeping units SKUs are available:
- Azure Front Door Standard: Content-delivery optimized
- Azure Front Door Premium: Security optimized
The decision depends on whether the other features offered by Azure Front Door Standard and Azure Front Door Premium are required.
Criteria | Analysis |
Scalability | Enterprises that host scalable content will benefit more from using Azure Front Door. |
Pricing | Review the pricing considerations based on monthly charges, hourly billing, or extra charges for custom rules. |
Content Delivery | Azure Front Door Standard is a good choice when it comes to content optimization without extensive security capabilities. |
Security | Azure Front Door Premium is the better option for enhanced security requirements. |
To decide the product that meets the requirements, the following criteria and the product recommendations should be reviewed.
Scalability
If there are no requirements for hosting global, scalable web applications, an enterprise may not benefit from. However, if the enterprise deals with building, operations, and scaling out dynamic web applications and static content, it could make use of the Azure Front Door SKUs.
Consider Azure Front Door when:
- Defining, managing, and monitoring the global routing of web traffic
- Optimizing for top-tier, end-user performance and reliability through quick global failover
Pricing
Azure Front Door pricing is based on the inbound and outbound data transfers and routing rules. The pricing for Azure Web Application Firewall and Azure Content Delivery Network includes:
- A monthly charge per policy
- Other charges for custom rules and managed rule sets
Billing is based on the following criteria:
- A fixed base fee calculated on an hourly basis
- Inbound data transfers
- Outbound data transfers
- Requests incoming from clients to Azure Front Door points of presence
Content Delivery
Azure Front Door Standard can be considered if we want to:
- Optimize content delivery
- Provide for the acceleration of both static and dynamic content
- Make use of basic security capabilities
- Support global load balancing
- Use domain and certificate management
- Use SSL offload
- Benefit from enhanced traffic analytics
Security
Azure Front Door Premium is more suitable when we need Standard features along with it:
- Extensive security capabilities across WAF
- BOT protection
- Integration with Microsoft Threat Intelligence and security analytics
- Private link support
Conclusion
One of the primary benefits of using Azure Front Door is taking advantage of Microsoft’s dedicated private global network—from the Edge point of presence (PoP) to the application. The traffic goes over this network providing much higher network reliability. Even if an application is not hosted on Azure, it is still routed to the nearest point. This results in a dedicated network for end-users boosting network reliability and performance.