🔐 Azure Front Door SSL Configuration

Complete Guide to SSL Termination and End-to-End SSL Encryption with Detailed Configuration Examples

📚 SSL Concepts Overview

🔐 SSL Termination

SSL termination means that Azure Front Door decrypts incoming HTTPS traffic from clients, processes the request, and then forwards it to the backend origin. The connection between Front Door and the backend can be either HTTP (unencrypted) or HTTPS (encrypted).

Benefits: Reduced backend CPU load, centralized certificate management, ability to inspect and modify traffic, better performance through connection reuse.

🔗 End-to-End SSL Encryption

End-to-end SSL ensures that traffic remains encrypted throughout the entire path from the client to the backend origin. Azure Front Door terminates the client SSL connection and establishes a new SSL connection to the backend.

Benefits: Maximum security, compliance with strict security requirements, protection against man-in-the-middle attacks, encrypted data in transit at all points.

🔄 SSL Traffic Flow

1. Client Request

HTTPS request from client to Front Door

2. SSL Termination

Front Door decrypts with its certificate

3. Processing

WAF, routing, caching decisions

4. Backend Connection

HTTP or HTTPS to origin server

Aspect SSL Termination Only End-to-End SSL
Security Level Good - Encrypted client to Front Door Excellent - Encrypted throughout entire path
Performance Better - Less encryption overhead Good - Additional SSL handshake to backend
Backend Requirements HTTP server sufficient HTTPS server with valid certificate required
Compliance Suitable for most scenarios Required for high-security/regulated environments
Certificate Management Only Front Door certificate needed Both Front Door and backend certificates needed

⚙️ SSL Termination Configuration

Creating Azure Front Door Profile

az afd profile create \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --sku Standard_AzureFrontDoor
📝 Configuration Explanation

This command creates a new Azure Front Door profile, which serves as the top-level container for all Front Door resources. The profile defines the pricing tier and regional deployment model for your Front Door instance.

🔧 Parameter Details
  • --profile-name: Unique name for your Front Door profile (3-63 characters, alphanumeric and hyphens only)
  • --resource-group: Azure resource group where the profile will be created
  • --sku: Pricing tier options:
    • Standard_AzureFrontDoor - Basic features, lower cost
    • Premium_AzureFrontDoor - Advanced security, Private Link support

Creating Endpoint with Custom Domain

az afd endpoint create \
    --endpoint-name "myEndpoint" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --enabled-state Enabled
📝 Configuration Explanation

This creates an endpoint within your Front Door profile. An endpoint represents a logical grouping of domains and their associated configuration. Each endpoint gets a unique hostname in the format: [endpoint-name]-[hash].z01.azurefd.net

🔧 Parameter Details
  • --endpoint-name: Name for your endpoint (must be globally unique across Azure)
  • --enabled-state: Status options:
    • Enabled - Endpoint is active and receiving traffic
    • Disabled - Endpoint is inactive

Adding Custom Domain

az afd custom-domain create \
    --custom-domain-name "myCustomDomain" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --host-name "www.example.com" \
    --certificate-type ManagedCertificate \
    --minimum-tls-version TLS12
📝 Configuration Explanation

This command adds a custom domain to your Front Door profile and configures SSL termination. Azure Front Door will automatically provision and manage SSL certificates for your domain using its integration with certificate authorities.

🔧 Parameter Details
  • --host-name: Your custom domain name (must be validated via DNS)
  • --certificate-type: Certificate management options:
    • ManagedCertificate - Azure manages certificate lifecycle
    • CustomerCertificate - You provide and manage your own certificate
  • --minimum-tls-version: Minimum TLS version required:
    • TLS10 - Supports TLS 1.0 and above (legacy)
    • TLS12 - Requires TLS 1.2 and above (recommended)

⚠️ Domain Validation Required

After creating the custom domain, you must validate ownership by adding a TXT record to your DNS. Azure will provide the specific TXT record values to add.

Creating Origin Group and Origin

az afd origin-group create \
    --origin-group-name "myOriginGroup" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --probe-request-type GET \
    --probe-protocol Http \
    --probe-interval-in-seconds 30 \
    --probe-path "/" \
    --sample-size 4 \
    --successful-samples-required 3 \
    --additional-latency-in-milliseconds 50
📝 Configuration Explanation

An origin group contains one or more backend origins and defines how health probes are conducted. This configuration sets up health monitoring to ensure traffic is only sent to healthy backends.

🔧 Parameter Details
  • --probe-request-type: HTTP method for health checks:
    • GET - Standard HTTP GET request
    • HEAD - HTTP HEAD request (headers only)
  • --probe-protocol: Protocol for health probes:
    • Http - Unencrypted health checks
    • Https - Encrypted health checks
  • --probe-interval-in-seconds: Time between health checks (10-255 seconds)
  • --sample-size: Number of health probe samples to evaluate (1-255)
  • --successful-samples-required: Minimum successful probes to mark as healthy (1-255)
az afd origin create \
    --origin-group-name "myOriginGroup" \
    --origin-name "myOrigin" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --host-name "backend.example.com" \
    --origin-host-header "backend.example.com" \
    --http-port 80 \
    --https-port 443 \
    --weight 100 \
    --priority 1 \
    --enabled-state Enabled
📝 Configuration Explanation

This creates a backend origin server within the origin group. The origin represents your actual web server or application that will serve the content. For SSL termination, we specify both HTTP and HTTPS ports, allowing Front Door to communicate with the backend over either protocol.

🔧 Parameter Details
  • --host-name: Backend server hostname or IP address
  • --origin-host-header: Host header sent to backend (usually same as hostname)
  • --http-port: Port for HTTP traffic (typically 80)
  • --https-port: Port for HTTPS traffic (typically 443)
  • --weight: Traffic distribution weight (1-1000, higher = more traffic)
  • --priority: Failover priority (1-5, lower = higher priority)
  • --enabled-state: Origin status (Enabled/Disabled)

Creating Route with SSL Termination

az afd route create \
    --route-name "myRoute" \
    --endpoint-name "myEndpoint" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --origin-group "myOriginGroup" \
    --supported-protocols Http Https \
    --patterns-to-match "/*" \
    --forwarding-protocol HttpOnly \
    --link-to-default-domain Enabled \
    --https-redirect Enabled
📝 Configuration Explanation

This route configuration enables SSL termination by accepting HTTPS traffic from clients but forwarding only HTTP traffic to the backend. The --forwarding-protocol HttpOnly parameter ensures that after SSL termination at Front Door, traffic to the backend is unencrypted.

🔧 Parameter Details
  • --supported-protocols: Protocols accepted from clients:
    • Http - Accept HTTP traffic only
    • Https - Accept HTTPS traffic only
    • Http Https - Accept both protocols
  • --patterns-to-match: URL patterns this route handles (/* for all paths)
  • --forwarding-protocol: Protocol used to backend:
    • HttpOnly - Always use HTTP to backend (SSL termination)
    • HttpsOnly - Always use HTTPS to backend (end-to-end SSL)
    • MatchRequest - Use same protocol as client request
  • --https-redirect: Redirect HTTP to HTTPS (Enabled/Disabled)

✅ SSL Termination Complete

With this configuration, Azure Front Door will terminate SSL connections from clients and forward unencrypted HTTP traffic to your backend servers, reducing their computational load while maintaining security for client connections.

🔗 End-to-End SSL Configuration

🛡️ End-to-End SSL Benefits

End-to-end SSL encryption ensures maximum security by maintaining encrypted connections throughout the entire request path. This is essential for sensitive data, compliance requirements, and zero-trust security models.

Updating Route for End-to-End SSL

az afd route update \
    --route-name "myRoute" \
    --endpoint-name "myEndpoint" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --forwarding-protocol HttpsOnly \
    --supported-protocols Https
📝 Configuration Explanation

This updates the existing route to implement end-to-end SSL encryption. By setting --forwarding-protocol HttpsOnly, Front Door will establish encrypted HTTPS connections to the backend servers after terminating the client SSL connection.

🔧 Parameter Details
  • --forwarding-protocol HttpsOnly: Forces HTTPS communication to backend servers, ensuring end-to-end encryption
  • --supported-protocols Https: Only accepts HTTPS traffic from clients (can also use "Http Https" if you want to accept both and redirect HTTP to HTTPS)

Configuring Backend SSL Settings

az afd origin update \
    --origin-group-name "myOriginGroup" \
    --origin-name "myOrigin" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --host-name "backend.example.com" \
    --origin-host-header "backend.example.com" \
    --certificate-name-check-enabled true \
    --enabled-state Enabled
📝 Configuration Explanation

This configuration ensures that the backend origin is properly set up for HTTPS connections. The --certificate-name-check-enabled parameter enables certificate validation, ensuring that the backend server's SSL certificate is valid and trusted.

🔧 Parameter Details
  • --certificate-name-check-enabled: SSL certificate validation options:
    • true - Validate backend SSL certificate (recommended for production)
    • false - Skip certificate validation (only for testing/development)
  • --origin-host-header: Must match the backend server's SSL certificate Common Name or SAN

⚠️ Backend SSL Certificate Requirements

For end-to-end SSL to work properly, your backend servers must have valid SSL certificates. The certificate's Common Name or Subject Alternative Name must match the origin-host-header value.

Advanced SSL Configuration with Custom Certificate

# First, import your custom certificate to Azure Key Vault
az keyvault certificate import \
    --vault-name "myKeyVault" \
    --name "myCustomCert" \
    --file "/path/to/certificate.pfx" \
    --password "certificatePassword"
📝 Configuration Explanation

This command imports a custom SSL certificate into Azure Key Vault. Using custom certificates gives you full control over certificate management, including extended validation (EV) certificates, specific certificate authorities, or certificates with custom extensions.

🔧 Parameter Details
  • --vault-name: Azure Key Vault instance name
  • --name: Certificate name within Key Vault
  • --file: Path to certificate file (.pfx or .p12 format)
  • --password: Certificate file password (if encrypted)
az afd custom-domain update \
    --custom-domain-name "myCustomDomain" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --certificate-type CustomerCertificate \
    --secret-source AzureKeyVault \
    --secret-version "latest" \
    --vault-id "/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/myKeyVault" \
    --secret-name "myCustomCert"
📝 Configuration Explanation

This updates your custom domain to use the imported certificate from Key Vault instead of an Azure-managed certificate. This approach provides more control over certificate properties and is required for certain compliance scenarios.

🔧 Parameter Details
  • --certificate-type CustomerCertificate: Indicates you're providing your own certificate
  • --secret-source: Certificate storage location:
    • AzureKeyVault - Certificate stored in Azure Key Vault
  • --secret-version: Certificate version ("latest" for most recent)
  • --vault-id: Full resource ID of the Key Vault
  • --secret-name: Certificate name in Key Vault

SSL Security Rules Configuration

az afd security-policy create \
    --security-policy-name "mySSLSecurityPolicy" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --domains "/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.Cdn/profiles/myFrontDoorProfile/customDomains/myCustomDomain" \
    --waf-policy "/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/myWAFPolicy"
📝 Configuration Explanation

This creates a security policy that applies Web Application Firewall (WAF) rules to your SSL-enabled domains. Security policies help protect against common web vulnerabilities and can enforce additional SSL/TLS security requirements.

🔧 Parameter Details
  • --domains: Full resource ID of domains to protect
  • --waf-policy: Resource ID of the WAF policy to apply

✅ End-to-End SSL Complete

Your Azure Front Door is now configured for end-to-end SSL encryption. Traffic is encrypted from client to Front Door, and from Front Door to your backend servers, providing maximum security.

📊 SSL Monitoring and Troubleshooting

Certificate Monitoring

az afd custom-domain show \
    --custom-domain-name "myCustomDomain" \
    --profile-name "myFrontDoorProfile" \
    --resource-group "myResourceGroup" \
    --query '{name:name, validationState:validationState, certificateType:tlsSettings.certificateType, minimumTlsVersion:tlsSettings.minimumTlsVersion}' \
    --output table
📝 Configuration Explanation

This command retrieves the current SSL certificate status for your custom domain. It shows certificate type, validation state, and TLS version settings, helping you monitor certificate health and configuration.

SSL Health Diagnostics

az afd log analytic \
    --resource-group "myResourceGroup" \
    --profile-name "myFrontDoorProfile" \
    --metrics "OriginHealthPercentage,OriginRequestCount" \
    --granularity "PT1H" \
    --start-time "2024-01-01T00:00:00Z" \
    --end-time "2024-01-02T00:00:00Z"
📝 Configuration Explanation

This retrieves analytics data about origin health and request patterns, which can help identify SSL-related connectivity issues between Front Door and your backend servers.

🔧 Parameter Details
  • --metrics: Available metrics include:
    • OriginHealthPercentage - Backend server health percentage
    • OriginRequestCount - Number of requests to backends
    • RequestCount - Total requests to Front Door
    • ResponseSize - Response payload sizes
  • --granularity: Time granularity options:
    • PT1M - 1 minute intervals
    • PT1H - 1 hour intervals
    • P1D - 1 day intervals

🔍 Common SSL Issues

  • Certificate Name Mismatch: Ensure origin-host-header matches backend certificate CN/SAN
  • Self-Signed Certificates: Disable certificate validation for testing only
  • Expired Certificates: Monitor certificate expiration dates
  • TLS Version Conflicts: Ensure backend supports required TLS versions

✅ Best Practices Summary

  • Use Managed Certificates: Let Azure handle certificate lifecycle
  • Enable HTTPS Redirect: Force secure connections
  • Set Minimum TLS 1.2: Disable older, insecure protocols
  • Monitor Certificate Health: Set up alerts for expiration
  • Test End-to-End: Verify SSL works from client to backend