3.3 Azure Front Door
📘Microsoft Azure Networking Solutions (AZ-700)
1. Introduction to Azure Front Door
Azure Front Door is a global, Layer 7 (HTTP/HTTPS) load balancer. It is used to:
- Distribute user traffic across multiple backend applications worldwide
- Improve application performance
- Provide high availability
- Add security at the edge (WAF, TLS, DDoS integration)
- Route traffic based on URL, hostname, or path
It works at the Microsoft global edge network, meaning traffic enters Microsoft’s network as close to the user as possible.
For the AZ-700 exam, you must clearly understand:
- What is an endpoint?
- What is a route?
- What is an origin?
- What is an origin group?
- How traffic flows between them
2. Core Components You Must Know
Azure Front Door has four main configuration components:
- Endpoint
- Route
- Origin
- Origin Group
Let’s understand each in simple terms.
3. Endpoints
What Is an Endpoint?
An endpoint is the public entry point for your application.
It provides:
- A globally reachable URL
- A public DNS name
- HTTPS support
When you create an Azure Front Door profile, you create one or more endpoints.
Example IT Scenario
Your company hosts a web application for users worldwide. Instead of users connecting directly to a VM or App Service, they connect to:
https://myapp-xyz.azurefd.net
This is the Front Door endpoint.
Key Endpoint Concepts for Exam
1. Default Domain
Azure automatically assigns:
<endpoint-name>.azurefd.net
2. Custom Domain
You can map:
www.contoso.com
to the Front Door endpoint.
You must:
- Add DNS CNAME record
- Validate domain ownership
- Configure HTTPS certificate
3. HTTPS Configuration
Front Door supports:
- Microsoft-managed certificates (automatic renewal)
- Customer-managed certificates (Azure Key Vault)
For the exam:
- Know that HTTPS is enabled per custom domain
- Certificates can come from Azure Key Vault
4. Origins
What Is an Origin?
An origin is the backend resource where your application is actually hosted.
Examples:
- Azure App Service
- Azure Virtual Machine
- Azure Load Balancer
- Azure Kubernetes Service
- Public IP
- On-premises server (publicly reachable)
Important: Origin ≠ Origin Group
An origin is a single backend.
An origin group is a collection of origins.
Origin Configuration Settings (Exam Important)
When configuring an origin, you must define:
1. Origin Type
- App Service
- Storage
- Custom (IP or FQDN)
2. Host Name
The DNS name of backend:
myapp.azurewebsites.net
3. Origin Host Header
This is extremely important for AZ-700.
This defines:
- What host header Front Door sends to backend
If not configured correctly:
- Backend may reject traffic
- SSL mismatch errors occur
4. Priority and Weight
Used inside an origin group.
- Priority → Used for failover
- Weight → Used for load balancing
More details below.
5. Origin Groups
An origin group contains one or more origins.
Purpose:
- Health monitoring
- Load balancing
- Failover
Health Probes (Very Important)
Front Door checks backend health using:
- Protocol: HTTP or HTTPS
- Path:
/health,/status, etc. - Interval (example: every 30 seconds)
If an origin fails:
- It is removed from rotation
- Traffic is sent to healthy origin
Load Balancing Methods
1. Priority-Based Routing (Failover)
Example:
- Origin A → Priority 1
- Origin B → Priority 2
Traffic goes to:
- Origin A (primary)
- If A fails → traffic goes to B
This is used for:
- Disaster recovery
- Active-passive setup
2. Weighted Routing (Load Distribution)
Example:
- Origin A → Weight 80
- Origin B → Weight 20
Traffic distribution:
- 80% to A
- 20% to B
Used for:
- Gradual migration
- Blue-green deployment
- Performance testing
6. Routes
What Is a Route?
A route connects:
Endpoint → Origin Group
It defines:
- Which incoming requests go to which backend
Route Matching Rules
Routes can match based on:
1. Domain
Example:
www.contoso.com
api.contoso.com
2. Path
Example:
/images/*
/api/*
3. Protocol
- HTTP
- HTTPS
Route Components
When configuring a route, you must define:
- Endpoint
- Accepted protocol (HTTP/HTTPS)
- Domain(s)
- Path pattern
- Origin group
- Forwarding protocol
Forwarding Protocol Options
This determines how Front Door talks to backend:
- Match incoming request
- HTTP only
- HTTPS only
Exam Tip:
If backend requires HTTPS, make sure forwarding protocol is HTTPS.
7. How Traffic Flows (Full Process)
Let’s understand the complete flow step-by-step:
- User enters URL (example: www.contoso.com)
- DNS resolves to Front Door endpoint
- User connects to nearest Microsoft edge location
- Route rule is evaluated
- Route selects an origin group
- Health probe decides which origin is healthy
- Traffic is forwarded to selected origin
- Response is returned via Microsoft network
8. Path-Based Routing (Exam Favorite)
This is commonly tested.
Example configuration:
| Path | Origin Group |
|---|---|
| /api/* | API-OriginGroup |
| /images/* | Image-OriginGroup |
| /* | Web-OriginGroup |
This allows:
- API traffic → API backend
- Static content → Storage backend
- Web pages → App Service
This is very common in enterprise applications.
9. Multiple Endpoints Scenario
You can create multiple endpoints in one Front Door profile.
Example:
- app1.azurefd.net
- app2.azurefd.net
Each endpoint:
- Can have its own routes
- Can have different custom domains
Used when:
- Hosting multiple applications
- Managing separate environments
10. Important Exam Scenarios
Below are common AZ-700 question styles:
Scenario 1: Global Failover Required
Requirement:
- Primary region in East US
- Secondary region in West Europe
- Automatic failover
Solution:
- Create two origins
- Same origin group
- Use priority-based routing
Scenario 2: Blue-Green Deployment
Requirement:
- 90% traffic to old version
- 10% to new version
Solution:
- Use weighted routing
- Same origin group
- Different weights
Scenario 3: Route API Separately
Requirement:
- /api traffic must go to AKS
- /static must go to storage
Solution:
- Create two origin groups
- Create multiple routes
- Configure path-based matching
Scenario 4: Backend Requires Specific Host Header
Requirement:
- App Service only accepts specific hostname
Solution:
- Configure Origin Host Header properly
This is often tested.
11. Security Considerations
Although security is a separate topic, routing interacts with:
- Web Application Firewall (WAF)
- HTTPS enforcement
- Redirect HTTP → HTTPS
You can:
- Redirect HTTP to HTTPS using route configuration
- Attach WAF policies to endpoints
12. Common Misconfigurations (Exam Traps)
Be careful about:
- Wrong origin host header
- Health probe path incorrect
- HTTPS certificate not configured
- Forwarding protocol mismatch
- DNS not pointing to Front Door
These often appear in troubleshooting questions.
13. Quick Comparison Summary
| Component | Purpose |
|---|---|
| Endpoint | Public entry point |
| Route | Traffic matching rule |
| Origin | Backend server |
| Origin Group | Collection of backends |
14. Key Points to Memorize for AZ-700
- Azure Front Door is Layer 7 global load balancer
- Endpoint = public DNS
- Route = connects endpoint to origin group
- Origin = backend
- Origin Group = load balancing + failover
- Priority = failover
- Weight = traffic distribution
- Health probe determines backend availability
- Path-based routing is commonly tested
- Host header configuration is critical
Final Exam Strategy
For every Azure Front Door question:
Ask yourself:
- Is this about routing?
- Is this about backend failover?
- Is this about traffic distribution?
- Is this about path matching?
- Is this about host header or HTTPS configuration?
If you understand:
- How endpoints receive traffic
- How routes match traffic
- How origin groups distribute traffic
- How origins host applications
You will confidently answer any AZ-700 question related to configuring routing, origins, and endpoints in Azure Front Door.
