top of page

Azure Front Door

Updated: Jun 10

Azure Front Door is a global service, which is typically used as an entry point for web applications. It’s well-suited for this task, as it operates at Layer 7 (HTTP/HTTPS-based) of the networking stack. However, calling it a load balancer would be underselling it. Azure Front Door uses the Microsoft Global Edge network to accept traffic from end users. You can associate a Web Application Firewall (WAF) with it to protect your applications from potential threats.

Azure Front Door takes advantage of the anycast protocol, which goes beyond providing traditional CDN capabilities and advanced security capabilities, including preventing Distributed Denial of Service (DDoS) attacks.

The core capabilities of Azure Front Door include

  • Application and API acceleration through the use of anycast, which will optimize the connectivity to Azure application services and reduce the latency for end users.

  • Global HTTP load balancing allows developers to build geo-distributed services and lets Azure determine endpoint availability and intelligent routing to local and available endpoints.

  • SSL offload relieves endpoints of performing expensive decryption computation and moves the function higher up in the stack.

  • WAF @Edge web application filtering provides protection against DDoS attacks or malicious users at the edge without impacting backend services.

Azure Front Door Standard and Premium contain several common features, including

  • Custom Domains

  • SSL Offload

  • Caching

  • Compression

  • Global load balancing

  • Layer 7 routing

  • URL Rewrite

  • Enhanced Metrics and diagnostics

  • Traffic Report

Azure Front Door premium contains the following features in addition to the previous list

  • Private Origin (Private Link)

  • Web Application Firewall (WAF) support

  • Bot Protection

  • Security Report

Azure Front Door Routing Method

  • Latency: The latency-based routing ensures that requests are sent to the lowest latency backends acceptable within a sensitivity range. Basically, your user requests are sent to the "closest" set of backends with respect to network latency.

  • Priority: You can assign priorities to your backends when configuring a primary backend to service all traffic. The secondary backend can be a backup in case the primary backend becomes unavailable.

  • Weighted: You can assign weights to your backends when you want to distribute traffic across a set of backends evenly or according to the weight coefficients. Traffic is distributed as per weights if the latencies of the backends are within the acceptable latency sensitivity range in the backend pool.

  • Session Affinity: You can configure session affinity for your frontend hosts or domains to ensure requests from the same end user get sent to the same backend.

Azure Front Door User Request Flow

Azure front door

Benefits of Azure Front Door

High-Performance Content Delivery

Azure Front Door leverages Microsoft's globally distributed network of Points of Presence (PoPs) to strategically cache static content closer to users. This geographically optimized approach minimizes latency by delivering content from the nearest PoP, resulting in significantly faster page load times. Additionally, HTTP/2 protocol support and TCP offloading further enhance performance by enabling efficient data transfer and reduced server load.

Layer 7 Load Balancing with Health Probes 

Azure Front Door employs intelligent layer 7 load balancing to distribute traffic across a pool of healthy backend servers. This ensures optimal resource utilization and prevents bottlenecks during traffic spikes. Furthermore, customizable health probes actively monitor the health of backend servers, automatically routing traffic away from unhealthy instances to maintain application uptime.

Multi-layered Security with WAF and DDoS Protection

Azure Front Door integrates seamlessly with Azure Web Application Firewall (WAF) to provide comprehensive protection against common web attacks like SQL injection, cross-site scripting (XSS), and Denial-of-Service (DoS) vulnerabilities.  Additionally, Azure Front Door offers Layer 3-4 DDoS protection, mitigating large-scale volumetric attacks that overwhelm infrastructure. This multi-layered approach safeguards your web application from a wide range of security threats.

Advanced Features

Dynamic Site Acceleration (DSA)

Azure Front Door utilizes DSA to optimize the delivery of dynamic content. By intelligently caching frequently accessed dynamic content at the edge, DSA significantly reduces server load and improves response times for dynamic requests.

URL Path-Based Routing and Custom Affinity

Azure Front Door allows for granular control over traffic routing based on specific URL paths. This enables developers to optimize content delivery based on content type or application logic. Additionally, custom session affinity ensures users are directed to the same backend server throughout a session, maintaining the application state for a seamless user experience.

Integration with Azure Private Link

Azure Front Door integrates with Azure Private Link to establish secure private connections between your web application backend and Azure services without traversing the public internet. This enhances security by minimizing exposure to potential threats on the public network

Comparison of Azure Front door, Application Gateway, and Azure Load balancer

Comparison chart

424 views0 comments

Recent Posts

See All


bottom of page