3.3 Azure Front Door
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is Azure Front Door?
Microsoft Azure provides Azure Front Door, a global Layer 7 (HTTP/HTTPS) load balancer and application delivery service.
Azure Front Door is used when:
- Users are located around the world
- Applications are deployed in multiple Azure regions
- High availability and fast performance are required
- Security against web attacks is needed
- You want centralized traffic control
It operates at the application layer (Layer 7) and understands HTTP and HTTPS traffic.
2. Why “Map Requirements to Azure Front Door Features” Is Important for AZ-700
In the AZ-700 exam, you will not only be asked what Azure Front Door is.
You will be given business or technical requirements, and you must choose the correct Azure Front Door feature.
Example of requirement types (in IT context):
- “Users from Asia must be routed to the nearest region.”
- “Block SQL injection attacks.”
- “Only allow traffic from specific countries.”
- “Route traffic based on URL path.”
- “Provide automatic failover if a region goes down.”
- “Use HTTPS with a custom domain.”
- “Improve performance for static and dynamic content.”
You must know which feature solves which requirement.
3. Core Azure Front Door Features and When to Use Them
4. Global Load Balancing
Requirement:
“Distribute user traffic across multiple Azure regions.”
Feature:
Global load balancing
Azure Front Door:
- Uses Microsoft’s global edge network
- Routes users to the closest healthy backend
- Works across multiple Azure regions
How It Works:
- User connects to nearest Microsoft edge location
- Traffic is forwarded to best backend using Microsoft backbone network
- Reduces latency
Exam Key Points:
- Layer 7 load balancer
- Supports HTTP and HTTPS only
- Health probes determine backend health
- Automatic failover
Use this when:
- Application is deployed in multiple regions
- High availability is required
5. Health Probes and Automatic Failover
Requirement:
“If one region fails, automatically redirect traffic to another region.”
Feature:
- Health probes
- Backend pool monitoring
- Automatic failover
Azure Front Door continuously checks backend health.
If backend:
- Returns errors
- Stops responding
- Becomes unhealthy
Traffic automatically moves to healthy region.
Exam Tip:
Front Door provides active-active failover by default.
6. Path-Based Routing
Requirement:
“Send /images to one backend and /api to another backend.”
Feature:
Routing rules (path-based routing)
Azure Front Door can:
- Inspect URL path
- Forward traffic to different backend pools
IT Example:
/api/*→ API servers/static/*→ storage account/app/*→ web servers
Exam Tip:
Use path-based routing when:
- Application has microservices
- Different workloads are separated
7. Host-Based Routing (Multi-site Hosting)
Requirement:
“Use one Front Door instance for multiple domains.”
Feature:
- Host-based routing
- Custom domains
Azure Front Door can:
- Handle multiple domain names
- Route traffic based on hostname
Example:
- app1.company.com → Backend 1
- app2.company.com → Backend 2
Exam Tip:
Use this when:
- Hosting multiple applications
- Using different domain names
8. Web Application Firewall (WAF)
Requirement:
“Protect application from web attacks.”
Feature:
Azure Web Application Firewall (WAF) for Azure Front Door
WAF protects against:
- SQL injection
- Cross-site scripting (XSS)
- HTTP protocol violations
- Known web vulnerabilities (OWASP Top 10)
WAF Capabilities:
- Managed rules (OWASP)
- Custom rules
- IP filtering
- Rate limiting
- Geo filtering
Exam Tip:
If question mentions:
- Block malicious traffic
- Protect against OWASP attacks
- Filter requests based on IP
- Restrict by country
→ Use WAF with Front Door
9. HTTPS and SSL/TLS Offloading
Requirement:
“Secure communication using HTTPS.”
Feature:
- SSL termination at edge
- Custom domain HTTPS
- Managed certificates
Azure Front Door:
- Terminates TLS at Microsoft edge
- Supports custom SSL certificates
- Can automatically manage certificates
Exam Points:
- End-to-end HTTPS supported
- Can re-encrypt traffic to backend
- Reduces load on backend servers
10. Session Affinity
Requirement:
“Ensure a user session stays on same backend.”
Feature:
Session affinity (cookie-based)
Azure Front Door can:
- Use cookies to maintain session persistence
Use when:
- Applications require session state
- Not using distributed session store
11. Caching and Acceleration
Requirement:
“Improve performance for static or dynamic content.”
Feature:
- Content caching at edge
- Dynamic site acceleration
Azure Front Door:
- Caches static content
- Reduces backend load
- Reduces latency
Works Well With:
- Storage accounts
- Static websites
- Global content distribution
Exam Tip:
If requirement mentions:
- Reduce latency globally
- Improve performance
- Cache static content
→ Use Front Door caching
12. Geo-Filtering
Requirement:
“Allow traffic only from specific countries.”
Feature:
WAF custom rules with geo filtering
You can:
- Allow specific countries
- Block specific countries
Exam scenario:
“Block traffic from outside Europe.”
→ Use WAF geo filtering
13. URL Redirect and Rewrite
Requirement:
“Redirect HTTP to HTTPS.”
“Rewrite URL before forwarding to backend.”
Feature:
Rules engine
Azure Front Door rules engine can:
- Redirect traffic (301/302)
- Modify headers
- Rewrite URLs
- Add or remove headers
Use when:
- Migrating applications
- Enforcing HTTPS
- Changing URL structure
14. Private Backend Support
Requirement:
“Backend must not be publicly accessible.”
Feature:
Private Link support
Azure Front Door supports:
- Connecting to private endpoints
- Secure access to backend without public IP
Exam Tip:
If requirement says:
- Backend must not have public IP
- Use private connectivity
→ Use Private Link with Front Door
15. Difference Between Azure Front Door and Application Gateway
You may get comparison questions.
| Feature | Azure Front Door | Azure Application Gateway |
|---|---|---|
| Scope | Global | Regional |
| Load balancing | Global | Regional |
| Entry point | Edge locations | VNet |
| Best for | Global apps | Single-region apps |
| Private backend | Supported | Supported |
| WAF | Yes | Yes |
If requirement:
- Global users
- Multi-region
- Global failover
→ Choose Azure Front Door
If requirement:
- Regional traffic only
- Internal application
- VNet integration focus
→ Choose Application Gateway
16. Azure Front Door Tiers (Important for Exam)
Azure Front Door Standard and Premium:
| Feature | Standard | Premium |
|---|---|---|
| Global load balancing | Yes | Yes |
| WAF | Yes | Yes |
| Private Link | No | Yes |
| Advanced security | Basic | Advanced |
If requirement:
“Use Private Link with backend”
→ Choose Premium
17. Common Exam Scenarios and Correct Mapping
Below are common AZ-700 style mappings:
| Requirement | Correct Feature |
|---|---|
| Global load balancing | Front Door |
| Path-based routing | Routing rules |
| Protect from OWASP | WAF |
| Improve performance | Caching |
| Auto failover | Health probes |
| Multi-domain hosting | Host-based routing |
| Secure backend privately | Private Link |
| Force HTTPS | Rules engine redirect |
| Restrict by country | WAF geo filtering |
| Maintain session | Session affinity |
18. Key Things to Remember for AZ-700
- Azure Front Door works at Layer 7 (HTTP/HTTPS only)
- It is global, not regional
- Uses Microsoft global edge network
- Provides automatic failover
- Supports WAF
- Supports path-based and host-based routing
- Premium supports Private Link
- Can cache content
- Uses health probes to determine backend health
19. Final Exam Strategy
When you see a question:
Step 1: Identify scope
- Global → Front Door
- Regional → Application Gateway
Step 2: Identify security need
- Web attack protection → WAF
- Geo restriction → WAF custom rule
Step 3: Identify routing need
- URL path routing → Routing rules
- Multiple domains → Host-based routing
Step 4: Identify connectivity requirement
- Private backend → Premium tier
Final Summary
Azure Front Door is a global application delivery service that provides:
- Global load balancing
- High availability
- Web application security
- URL routing
- Performance acceleration
- SSL termination
- Private backend connectivity (Premium)
