Skip to main content
Designing Azure Front Door Application Gateway is a regional service. Azure Front Door provides a global entry point for your web applications and offers many of the same capabilities as Application Gateway plus additional global, performance, and security features. In this lesson you’ll learn why Azure Front Door is used for internet-facing applications, how it improves performance and availability, and how to design and deploy it for production workloads.
Azure Front Door is a global, Layer 7 load balancer and web application delivery service. It provides global routing, TLS termination, DDoS protection integration, caching, and more—making it an ideal “front door” for internet-facing applications.

What is Azure Front Door?

Azure Front Door (AFD) is a cloud-native, globally distributed service that routes user traffic to the most appropriate backend based on configured routing rules, health probes, and policies. It operates at the HTTP/HTTPS (Layer 7) level and consolidates features such as:
  • Global routing and failover
  • TLS termination and certificate management
  • Web Application Firewall (WAF) integration
  • Caching and CDN-like acceleration
  • DDoS protection and rate limiting integrations
  • URL path–based routing and header rewrites
  • HTTP/3 (QUIC) support for lower-latency connections

When to choose Azure Front Door vs Application Gateway

Use Azure Front Door when you need a global entry point and want to optimize routing across multiple regions, provide cross-region failover, or accelerate content delivery for a global user base. Use Application Gateway when you need a region-scoped Layer 7 load balancer with deeper integration into a specific virtual network or when you need features tightly coupled with regional Azure resources.
Important: Azure Front Door is a global service. If your architecture requires private VNet-only origin connections without additional networking configuration, Application Gateway (regional) or Private Link-enabled Backends may be more appropriate. Consider security boundaries, cost, and compliance when choosing the right entry point.

Key benefits and capabilities

  • Global routing and acceleration: Route users to the nearest or healthiest backend to minimize latency.
  • Security: WAF integration, TLS termination, and integration with Azure DDoS Protection.
  • High availability: Built-in health probes and global failover reduce downtime.
  • Performance: Caching and HTTP/3 support improve responsiveness for global users.
  • Flexible origins: Support for App Service, Storage, custom hosts (VMs, on-prem), CDN origins, and third-party endpoints.
  • Automation: Deployable via Azure Portal, Azure CLI, ARM templates, Bicep, or Terraform.

Standard vs Premium SKUs — feature comparison

CapabilityStandard SKUPremium SKU
Layer 7 load balancing
Web Application Firewall (WAF)Managed rules, custom rulesAdvanced WAF features and extended rule sets
Private Link integration✓ (enables private connectivity to backends)
Advanced security featuresBasic WAF and rate-limitingAdditional security controls and policy granularity
Price / cost profileLowerHigher (for advanced features)
Use caseGlobal load balancing + CDN-like featuresEnterprise scenarios requiring private origins, advanced WAF, and finer security controls
Choose Standard for most global web workloads that need acceleration, global routing, TLS termination, and WAF. Choose Premium when you require Private Link support, advanced WAF controls, or other enterprise security integrations.

Design and deployment considerations

When designing an Azure Front Door deployment for production, consider the following:
  • DNS and TLS
    • Use CNAMEs to map custom domains to Front Door endpoints.
    • Use managed certificates for simplified TLS, or upload certificates stored in Azure Key Vault for custom certificate management.
  • Routing and rules
    • Use path-based routing to direct requests to different backend pools (e.g., /api/* to API backends, /static/* to storage).
    • Implement secure redirection rules (HTTP → HTTPS) and host header rewrites as required.
  • Backend configuration
    • Define backend pools with origins (App Service, Storage, custom hostname).
    • Configure host headers, priority/weight for traffic distribution, and backend-specific health probes.
  • Health probes
    • Use health probes to detect backend health; set probe intervals, path, and expected status codes that match your application behavior.
  • Security and WAF
    • Tune WAF rules to avoid false positives during rollout; use logging and metrics to iterate.
  • Monitoring and diagnostics
    • Enable metrics, logging, and diagnostic settings (e.g., Azure Monitor, Log Analytics) to track performance, errors, and WAF events.
  • Deployment automation
    • Automate with ARM/Bicep, Azure CLI, or Terraform for repeatable deployments and CI/CD integration.

Typical deployment steps (high-level)

  1. Plan DNS records and certificate requirements.
  2. Create an Azure Front Door instance (Standard or Premium) via Portal, CLI, or IaC.
  3. Define frontend hosts (custom domains and default endpoint).
  4. Create backend pools and add origins (App Service, Storage, VMs, etc.).
  5. Configure routing rules and URL path–based rules.
  6. Set up health probes for each backend.
  7. Enable WAF policies and tune rule sets.
  8. Validate traffic flows and failover scenarios.
  9. Monitor and adjust based on telemetry.

Configuration topics covered in this lesson

  • Choosing a SKU and mapping feature requirements to Standard vs Premium
  • Deploying Front Door with custom domains and TLS termination
  • Defining backends, host headers, and origin types (App Service, Storage, custom host)
  • Creating routing rules and URL path-based routing
  • Implementing secure redirects and HTTP/3 (QUIC) support
  • Creating and tuning health probes to improve availability
  • Applying and managing SSL/TLS certificates, including Key Vault integration
  • Instrumenting with Azure Monitor and diagnostic logs
Learning objectives
  • Understand the purpose and benefits of Azure Front Door as a global entry point for web applications.
  • Compare features and capabilities of the Standard and Premium SKUs to choose the right one for your scenario.
  • Learn deployment options, including HTTP/3 (QUIC) support and automation methods (Portal, CLI, ARM/Bicep, Terraform).
  • Configure routing rules, URL path–based routing, and secure redirection (for example, HTTP to HTTPS).
  • Define backend endpoints, configure host headers, and choose between different origin types (App Service, Storage, custom host, etc.).
  • Configure and customize health probes to monitor backend health and improve availability.
  • Apply and manage SSL/TLS certificates to enable secure end-to-end connections.
ResourceUse
Azure Front Door documentationOfficial docs, concepts, and quickstarts
Azure Front Door Standard/Premium overviewSKU differences and feature lists
Azure Web Application Firewall documentationWAF policies and managed rules
Azure Front Door pricingPricing details and comparisons
Create Front Door with BicepExample IaC templates
Next, we’ll dive into the differences between the Standard and Premium SKUs and when to use each one.

Watch Video