Azure Front Door

This diagram illustrates how different business requirements map to Azure Front Door features. Performance requirements drive the need for CDN, acceleration, and optimization features. Security requirements are addressed through WAF, SSL termination, and DDoS protection. Availability requirements are met through health monitoring, failover capabilities, and multi-region support. Scalability requirements are handled through auto-scaling, load balancing, and intelligent traffic routing.

This architecture diagram shows the complete Azure Front Door solution structure. Users connect to the nearest Point of Presence (PoP) for optimal performance. The Front Door service routes traffic through security layers including WAF, SSL termination, and DDoS protection before reaching backend pools distributed across multiple Azure regions. This design ensures high availability, security, and performance through geographic distribution and redundancy.

This sequence diagram illustrates the typical request flow through Azure Front Door. When a user makes a request, it's routed to the nearest edge location, then through Front Door's security layers including WAF inspection. The system checks backend health before routing to the optimal backend. Responses are cached at the edge for subsequent requests, significantly improving performance for future users.

This diagram shows how Azure Front Door handles backend failures. When the health monitor detects an unhealthy primary backend, traffic is automatically routed to healthy secondary backends. The system continuously monitors backend health and automatically restores traffic to the primary backend once it recovers, ensuring high availability with minimal user impact.

This diagram demonstrates how Azure Front Door implements intelligent geographic load balancing. Users are automatically routed to the nearest healthy backend based on both geographic proximity and real-time performance metrics. This approach minimizes latency while ensuring optimal resource utilization across all regions.

This sequence shows how Azure Front Door handles SSL termination at the edge. The TLS handshake occurs between the client and the edge location, reducing latency and offloading encryption overhead from backend servers. The edge location decrypts incoming requests and can communicate with backends using either HTTP or HTTPS, providing flexibility in backend configuration while maintaining security.

This flowchart illustrates how Azure Front Door's Web Application Firewall processes incoming requests. Each request undergoes security analysis using OWASP rules and custom policies. Clean requests proceed to backends, while malicious requests are blocked. Suspicious requests may trigger rate limiting. All security events are logged to Azure Monitor for analysis and alerting, providing comprehensive protection and visibility.

This comprehensive diagram shows the exact order and dependencies for Azure Front Door implementation. Each phase builds upon the previous ones:

• Phase 1 (Foundation): Establishes authentication, subscription context, resource group, and Front Door profile
• Phase 2 (Structure): Creates endpoint and origin groups that will contain the backends
• Phase 3 (Backends): Adds actual backend servers to the origin groups with priority settings
• Phase 4 (Routing): Configures how traffic flows from endpoint to backends with custom domains and route patterns
• Phase 5 (Security): Implements WAF protection with multiple rule types and associates with endpoints
• Phase 6 (Performance): Sets up caching rules and associates them with routes
• Phase 7 (Monitoring): Enables logging and alerting for operational visibility
• Phase 8 (Validation): Tests the complete configuration to ensure proper functionality

The arrows show strict dependencies - commands must be executed in this order for successful deployment. Key command parameters are included to show exactly what each step configures.

This diagram outlines the systematic approach to implementing Azure Front Door. The implementation is divided into six distinct phases, each with specific activities. Phase 1 focuses on planning and design, Phase 2 on resource creation, Phase 3 on core configuration, Phase 4 on security implementation, Phase 5 on testing and validation, and Phase 6 on deployment and ongoing monitoring. This structured approach ensures nothing is overlooked and provides clear milestones.

• az login - Authenticates your session with Azure using browser-based login
• --subscription - Specifies which Azure subscription to use for subsequent commands

• --name - Name of the resource group (using naming convention: rg-service-environment)
• --location - Azure region where metadata will be stored (doesn't affect Front Door global distribution)
• --tags - Key-value pairs for resource organization and cost tracking

• --profile-name - Unique name for the Front Door profile
• --resource-group - Resource group to contain the Front Door profile
• --sku - Service tier: Standard_AzureFrontDoor (basic features) or Premium_AzureFrontDoor (advanced security)
• --tags - Metadata tags for resource management and billing

• --endpoint-name - Unique name for the endpoint (becomes part of the FQDN)
• --profile-name - Front Door profile to create the endpoint in
• --resource-group - Resource group containing the Front Door profile
• --location - "Global" indicates this is a globally distributed endpoint
• --tags - Resource tags for organization

• --origin-group-name - Logical group name for related backend origins
• --probe-request-type - HTTP method for health checks (HEAD is lightweight)
• --probe-protocol - Protocol for health probes (Https/Http)
• --probe-interval-in-seconds - How often to check backend health (120 seconds)
• --probe-path - Endpoint path to test for health status
• --sample-size - Number of health probe samples to evaluate
• --successful-samples-required - Minimum successful probes to consider backend healthy
• --additional-latency-in-milliseconds - Acceptable latency threshold for routing decisions

• --origin-name - Unique name for this specific backend origin
• --origin-group-name - Origin group this backend belongs to
• --host-name - FQDN of the backend server
• --origin-host-header - Host header sent to backend (often same as host-name)
• --http-port - Port for HTTP traffic to backend (typically 80)
• --https-port - Port for HTTPS traffic to backend (typically 443)
• --priority - Priority for traffic routing (1 = highest priority)
• --weight - Load balancing weight (higher = more traffic)
• --enabled-state - Whether this origin is active (Enabled/Disabled)

This creates a secondary origin group with identical health probe settings to the primary group. This ensures consistent health monitoring across all backend pools for reliable failover behavior.

• --priority - Set to 2 (lower priority than primary) for failover scenarios
• --host-name - Points to West Europe App Service instance
• Other parameters identical to primary origin for consistency

• --custom-domain-name - Internal name for the custom domain configuration
• --host-name - Your actual domain name (requires DNS CNAME pointing to Front Door)
• --certificate-type - "ManagedCertificate" (Azure manages SSL) or "CustomerCertificate" (bring your own)

• --route-name - Unique name for this routing rule
• --origin-group - Which backend pool to route traffic to
• --supported-protocols - Protocols accepted from clients (Http, Https, or both)
• --patterns-to-match - URL patterns this route handles ("/*" = all paths)
• --forwarding-protocol - Protocol used to backend (HttpsOnly, HttpOnly, or MatchRequest)
• --link-to-default-domain - Whether route applies to the default .azurefd.net domain
• --https-redirect - Automatically redirect HTTP requests to HTTPS

• --patterns-to-match - "/api/*" targets only API endpoints
• --supported-protocols - "Https" only for API security
• --query-string-caching-behavior - "IgnoreQueryString" ensures API responses aren't cached inappropriately

• --patterns-to-match - Multiple patterns separated by commas for static assets
• --query-string-caching-behavior - "IgnoreQueryString" optimizes caching for static content
• This route is optimized for static assets that benefit from aggressive caching

• --name - Unique name for the WAF policy
• --sku - Must match Front Door SKU (Standard or Premium)
• --disabled - false = policy is active, true = policy is disabled
• --mode - "Prevention" blocks attacks, "Detection" only logs them

• --type - "Microsoft_DefaultRuleSet" provides OWASP Core Rule Set protection
• --version - Rule set version (2.1 is current stable version)
• --action - Default action when rules are triggered (Block, Log, Allow)

• --type - "Microsoft_BotManagerRuleSet" detects and blocks malicious bots
• --version - "1.0" is the current bot protection version
• --action - "Block" prevents malicious bot traffic from reaching backends

• --priority - Rule execution order (lower numbers execute first)
• --rule-type - "RateLimitRule" for traffic throttling, "MatchRule" for pattern matching
• --rate-limit-duration-in-minutes - Time window for rate calculation (1 minute)
• --rate-limit-threshold - Maximum requests allowed per time window (100)

• --match-variable - "RemoteAddr" applies rate limit per client IP
• --operator - "IPMatch" for IP-based matching
• --match-values - "0.0.0.0/0" applies to all IP addresses

• --name - "GeoBlockRule" descriptive name for geographic filtering
• --priority - 200 (executes after rate limiting rule)
• --rule-type - "MatchRule" for pattern-based blocking

• --operator - "GeoMatch" for country-based filtering
• --match-values - ISO country codes to match (CN=China, RU=Russia)
• --negate - true means block these countries, false means allow only these countries

• --security-policy-name - Name for the security policy association
• --domains - Front Door domains to apply the WAF policy to
• --waf-policy - Full resource ID of the WAF policy to associate

• --rule-set-name - Container for grouping related routing and caching rules
• Rule sets allow you to apply multiple rules to routes in an organized manner

• --order - Rule execution priority within the rule set (1 = highest)
• --match-processing-behavior - "Continue" = process other rules, "Stop" = stop after this rule
• cacheBehavior - "Override" replaces backend cache headers, "SetIfMissing" only sets if not present
• cacheType - "All" caches everything, "Query" includes query strings in cache key
• cacheDuration - Cache time in format "days.hours:minutes:seconds" (1 day here)
• operator - "Equal" for exact match, "Contains" for partial match
• transforms - "Lowercase" normalizes file extensions for consistent matching

• --order - Set to 2 (executes after static content rule)
• cacheBehavior - "BypassCache" prevents caching of API responses
• operator - "BeginsWith" matches URLs starting with specified pattern
• matchValues - ["/api/"] targets all API endpoints
• This ensures dynamic API content is never cached

• --rule-sets - Applies the "CachingRules" rule set to the main route
• This enables the caching behavior for all traffic matching the main route
• Multiple rule sets can be applied by separating names with commas

• --resource - Full resource ID of the Front Door profile to monitor
• FrontDoorAccessLog - Logs all requests processed by Front Door
• FrontDoorHealthProbeLog - Logs backend health probe results
• retentionPolicy.days - How long to keep logs (30 days for compliance)
• AllMetrics - Captures performance metrics like latency, request count, error rates
• --storage-account - Where to store the diagnostic data

• --condition - "avg OriginHealthPercentage < 50" triggers when less than 50% of backends are healthy
• --evaluation-frequency - How often to check the condition (every 1 minute)
• --window-size - Time window for metric aggregation (5 minutes)
• --severity - Alert severity: 0=Critical, 1=Error, 2=Warning, 3=Informational, 4=Verbose
• --action-groups - Defines who gets notified and how (email, SMS, webhook, etc.)

• --condition - "avg Percentage4XX > 10" alerts when 4XX errors exceed 10% of total requests
• --severity - Set to 3 (Informational) as 4XX errors may indicate client issues, not system failures
• Percentage4XX metric tracks client errors (400-499 HTTP status codes)
• This helps identify potential application issues or malicious traffic patterns

• curl -I - Sends HTTP HEAD request to test connectivity without downloading content
• Returns HTTP headers including status code, server information, and caching headers
• Useful for verifying Front Door is responding and SSL certificates are valid

• --query - JMESPath query to extract specific information (policy mode)
• Returns "Prevention" or "Detection" to confirm WAF operational mode
• Helps verify WAF is actively protecting (Prevention) vs. just logging (Detection)

• --output table - Formats output in readable table format
• Shows all configured routes, their patterns, and associated origin groups
• Useful for verifying routing configuration and troubleshooting traffic flow issues

• --query "enabledState" - Returns "Enabled" or "Disabled" status
• Verifies whether the origin is actively receiving traffic
• Helps troubleshoot routing issues and failover scenarios

• --enabled-state "Disabled" - Temporarily disables the primary origin
• Forces traffic to failover to secondary origins for testing
• Should be followed by testing to verify failover behavior
• Important: Remember to re-enable after testing!

• --enabled-state "Enabled" - Restores the primary origin to service
• Traffic will gradually shift back to primary origin based on health probe results
• Monitor metrics to ensure smooth traffic restoration

• --content-paths - Specifies which cached content to purge ("/*" = all content)
• Forces fresh content fetch from origins on next request
• Useful for testing content updates and caching behavior
• Can specify specific paths like "/images/*" for targeted purging

This diagram illustrates the comprehensive security architecture for Azure Front Door. Multiple security layers work together to provide defense in depth. DDoS protection is automatically included, while WAF provides application-layer protection using multiple rule sets. SSL/TLS termination ensures encrypted communications with flexible certificate management options. IP filtering, rate limiting, and geo-filtering provide additional controls. All security events are monitored and can trigger automated responses through integration with Azure Security Center and Sentinel.

• --sku "Premium_AzureFrontDoor" - Required for advanced security features
• --request-body-check "Enabled" - Inspects POST/PUT request bodies for threats
• --request-body-limit 128 - Maximum request body size to inspect (KB)
• Premium SKU provides additional protection against sophisticated attacks

• --exclusions - Defines what to exclude from WAF inspection
• matchVariable - "RequestHeaderNames" excludes specific headers from inspection
• selectorMatchOperator - "Equals" for exact match, "Contains" for partial
• selector - "User-Agent" header excluded (prevents false positives from legitimate user agents)

• --priority 10 - Very low priority number (executes first)
• --action "Allow" - Explicitly allows traffic from trusted IPs
• Allowlist rules should have highest priority to bypass other restrictions

• --match-values - CIDR blocks for trusted IP ranges
• "203.0.113.0/24" - Example trusted corporate network range
• "198.51.100.0/24" - Example partner network range
• Multiple IP ranges separated by commas for comprehensive allowlisting