I am going to talk about Azure Front Door (AFD) today since I am using it for one of my projects. As far as I understand, in simple words, AFD is a combination of Load balancing, CDN and WAF services.
As usual, let the official does the explanation ; )
Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft’s global network to improve global connectivity. Based on your routing method you can ensure that Front Door will route your client requests to the fastest and most available application backend.
- Accelerated application performance by using split TCP-based anycast protocol.
- Intelligent health probe monitoring for backend resources.
- URL-path based routing for requests.
- Enables hosting of multiple websites for efficient application infrastructure.
- Cookie-based session affinity.
- SSL offloading and certificate management.
- Define your own custom domain.
- Application security with integrated Web Application Firewall (WAF).
- Redirect HTTP traffic to HTTPS with URL redirect.
- Custom forwarding path with URL rewrite.
- Native support of end-to-end IPv6 connectivity and HTTP/2 protocol.
Below are some facts that I think is important to know and understand. For more and detailed information, please refer to AFD FAQ.
- AFD is different from Azure Application Gateway. Use AFD with these scenarios.
- AFD needs a public VIP or a publicly available DNS name to route the traffic to, meaning that it CAN NOT route within Vnet. Using Application Gateway or Load Balancer solve this scenario.
- Continuation from above, it means that your backend needs to be publicly accessible.
- Continuation from above, how to make sure backend only accept requests from ADF? Please refer here.
- AFD DOES NOT support static or dedicated frontend anycast IPs currently.
- AFD and Azure CDN can’t be configured together because both services utilizes the same Azure edge sites when responding to requests.
- AFD supports managed and owned SSL certification.
- Continuation from above, for certificate autorotation, you need to file support ticket when expiry date is less than 60 days. For owned certificate, you need to rotate it yourself.
- AFD supports TLS/SSL offload and end to end TLS. Since AFD talks to backend publicly, it is recommended to perform the later.
- AFD DOES NOT support self-signed certificates on both frontend and backend.
Enough of the boring wordings, let’s started to get our hands dirty!!
Please have your backend ready as AFD will need to point to it during setup, let’s get started.
Configuration is the section where we will configure all the settings.
Step1, Create frontend with a unique AFD FQDN. WAF policy can be setup here but I will do it on other post.
Step2, add backed pool to AFD.
The available backend types are as blow.
For my scenario, I use VMSS as my backend so I can find them in Pubic IP Address. If your backend is VM, the IP Address has to be static sku so it could be found on the list.
with backend setup, you need to configure backend health probe so that AFD will route traffic to healthy backends. Remember to setup your available backend protocol accordingly.
Define the definition of health or unhealthy condition.
Step 3, add route so that AFD knows how to route traffic from frontend to backend. Configure the protocol of your frontend and remember AFD works at layer 7 so that you can set path routing accordingly.
Next, let’s configure how you want the traffic to be routed. Since my backend does not support https, so I choose HTTP only. I believe Match request will do the trick too.
Finally, with everything configured, let’s create AFD!
Once done creation, you can get your AFD FQDN from Overview.
Scroll down a bit, you can review various metrics which Backend health percentage is quick useful to me.
Lastly, let’s verify the result by access the AFD FQDN. I access them with Chrome and Safari for comparison and we can verify that Load Balancing is indeed functioning!
That’s it for this post, hope you enjoy it! I will write another post regarding other configurations such as setup SSL certification, restrict only AFD to your backend and force HTTP to HTTPS. Stay tuned!!