Azure Front Door is a global service, which is typically used as an entry point for web applications. It’s well-suited for this task, as it operates at Layer 7 (HTTP/HTTPS-based) of the networking stack. However, calling it a load balancer would be underselling it. Azure Front Door uses the Microsoft Global Edge network to accept traffic from end users. You can associate a Web Application Firewall (WAF) with it to protect your applications from potential threats.
Azure Front Door takes advantage of the anycast protocol, which goes beyond providing traditional CDN capabilities and advanced security capabilities, including preventing Distributed Denial of Service (DDoS) attacks.
The core capabilities of Azure Front Door include
Application and API acceleration through the use of anycast, which will optimize the connectivity to Azure application services and reduce the latency for end users.
Global HTTP load balancing allows developers to build geo-distributed services and lets Azure determine endpoint availability and intelligent routing to local and available endpoints.
SSL offload relieves endpoints of performing expensive decryption computation and moves the function higher up in the stack.
WAF @Edge web application filtering provides protection against DDoS attacks or malicious users at the edge without impacting backend services.
Azure Front Door Standard and Premium contain several common features, including
Custom Domains
SSL Offload
Caching
Compression
Global load balancing
Layer 7 routing
URL Rewrite
Enhanced Metrics and diagnostics
Traffic Report
Azure Front Door premium contains the following features in addition to the previous list
Private Origin (Private Link)
Web Application Firewall (WAF) support
Bot Protection
Security Report
Azure Front Door Routing Method
Latency: The latency-based routing ensures that requests are sent to the lowest latency backends acceptable within a sensitivity range. Basically, your user requests are sent to the "closest" set of backends with respect to network latency.
Priority: You can assign priorities to your backends when configuring a primary backend to service all traffic. The secondary backend can be a backup in case the primary backend becomes unavailable.
Weighted: You can assign weights to your backends when you want to distribute traffic across a set of backends evenly or according to the weight coefficients. Traffic is distributed as per weights if the latencies of the backends are within the acceptable latency sensitivity range in the backend pool.
Session Affinity: You can configure session affinity for your frontend hosts or domains to ensure requests from the same end user get sent to the same backend.
Azure Front Door User Request Flow
Azure Front Door Architecture
Understand the routing architecture of Azure Front Door is the first step. When client requests are received, Azure Front Door will respond if caching is enabled or send them to the appropriate application backend as a reverse proxy.
Creating an Azure Front Door Architecture starts with setting up a frontend host, which serves as a global endpoint for the application. Configuring the backend services, such as an app service web application, requires a backend pool. Lastly, routing rules must be established to direct traffic from the frontend host configuration to the backend pool.
In addition, load balancing functions send regular heartbeats to the backend pool to determine the online status of endpoints. If an endpoint is unavailable, alternative endpoints will be used to route the traffic.
Benefits of Azure Front Door
High-Performance Content Delivery
Azure Front Door leverages Microsoft's globally distributed network of Points of Presence (PoPs) to strategically cache static content closer to users. This geographically optimized approach minimizes latency by delivering content from the nearest PoP, resulting in significantly faster page load times. Additionally, HTTP/2 protocol support and TCP offloading further enhance performance by enabling efficient data transfer and reduced server load.
Layer 7 Load Balancing with Health Probes
Azure Front Door employs intelligent layer 7 load balancing to distribute traffic across a pool of healthy backend servers. This ensures optimal resource utilization and prevents bottlenecks during traffic spikes. Furthermore, customizable health probes actively monitor the health of backend servers, automatically routing traffic away from unhealthy instances to maintain application uptime.
Multi-layered Security with WAF and DDoS Protection
Azure Front Door integrates seamlessly with Azure Web Application Firewall (WAF) to provide comprehensive protection against common web attacks like SQL injection, cross-site scripting (XSS), and Denial-of-Service (DoS) vulnerabilities. Additionally, Azure Front Door offers Layer 3-4 DDoS protection, mitigating large-scale volumetric attacks that overwhelm infrastructure. This multi-layered approach safeguards your web application from a wide range of security threats.
Advanced Features
Dynamic Site Acceleration (DSA)
Azure Front Door utilizes DSA to optimize the delivery of dynamic content. By intelligently caching frequently accessed dynamic content at the edge, DSA significantly reduces server load and improves response times for dynamic requests.
URL Path-Based Routing and Custom Affinity
Azure Front Door allows for granular control over traffic routing based on specific URL paths. This enables developers to optimize content delivery based on content type or application logic. Additionally, custom session affinity ensures users are directed to the same backend server throughout a session, maintaining the application state for a seamless user experience.
Integration with Azure Private Link
Azure Front Door integrates with Azure Private Link to establish secure private connections between your web application backend and Azure services without traversing the public internet. This enhances security by minimizing exposure to potential threats on the public network.
Comparison of Azure Front door, Application Gateway, and Azure Load balancer
Azure Front Door Pricing
Azure Front Door is a secure cloud CDN service that accelerates content delivery while protecting applications, APIs, and websites from cyber threats. It combines features from traditional CDNs, global load balancing, dynamic site acceleration, and security measures, including the Azure Web Application Firewall (WAF) and DDoS protection. Azure Front Door offers pricing in two tiers:
Azure Front Door Standard is optimized for content delivery, providing both static and dynamic content acceleration, global load balancing, SSL offload, domain and certificate management, enhanced traffic analytics, and fundamental security features.
Azure Front Door Premium builds upon the capabilities of Azure Front Door Standard by adding extensive security features. These include Web Application Firewall (WAF), bot protection, support for Azure Private Link, integration with Microsoft Threat Intelligence, and security analytics. Pricing for WAF and Azure Private Link is included in the Azure Front Door Premium offering.
Billing for Azure Front Door Standard and Premium is based on several pricing dimensions, which include:
- Base Fees (a fixed charge calculated on an hourly basis)
- Outbound Data Transfer from the Edge to the Client
- Outbound Data Transfer from the Edge to the Origin
- Incoming Requests from clients to Front Door's edge location
- Free data transfer from an origin located in an Azure data centre to Front Door's edge location.
Base Fees (per month)
Tier | Price |
Standard | $35 |
Premium | $330 |
Data Transfer from Edge to Client (per GB)
Zone | Standard/Premium Pricing (per GB) |
South America (Zone 3) | $0.11 |
Australia (Zone 4) | $0.112 |
India (Zone 5) | $0.109 |
Europe (Zone 6) | $0.083 |
Middle East and Africa (Zone 7) | $0.11 |
Korea (Zone 8) | $0.14 |
US Gov (Zone 9) | $0.104 |
Zone | Pricing (per GB) |
North America (Zone 1) | $0.02 |
Asia Pacific (Zone 2) | $0.06 |
South America (Zone 3) | $0.125 |
Australia (Zone 4) | $0.08 |
India (Zone 5) | $0.16 |
Europe (Zone 6) | $0.02 |
Middle East and Africa (Zone 7) | $0.06 |
Korea (Zone 8) | $0.16 |
US Gov (Zone 9) | $0.025 |
Request Pricing (per 10,000 requests)
Tier | Zone 1 (North America) | Zone 2 (Asia Pacific) | Zone 3 (South America) | Zone 4 (Australia) | Zone 5 (India) | Zone 6 (Europe) | Zone 7 (Middle East) | Zone 8 (Korea) | Zone 9 (US Gov) |
Standard | $0.009 | $0.0108 | $0.0199 | $0.0113 | $0.0108 | $0.009 | $0.0108 | $0.0181 | $0.0113 |
Premium | $0.015 | $0.0168 | $0.0259 | $0.0173 | $0.0168 | $0.015 | $0.0168 | $0.0241 | $0.0188 |
Azure Front Door (Premium )
Zone | First 10 TB | Next 40 TB (10-50 TB) | Over 50 TB |
North America (Zone 1) | $0.17 | $0.15 | |
Asia Pacific (Zone 2) | $0.25 | $0.22 | |
South America (Zone 3) | $0.50 | $0.426 | |
Australia (Zone 4) | $0.28 | $0.24 | |
India (Zone 5) | $0.34 | $0.29 |
Data Transfer In (from client to edge location)
| Pricing | $0.01 per GB |
Routing Rules
| First 5 Routing Rules | $0.03 per hour | | Additional Routing Rules | $0.012 per hour |
Frontend Hosts or Custom Domains
| First 100 Domains | Free | | Additional Domains | $5 per month |
Web Application Firewall (WAF)
WAF pricing is separate based on policy and rule configurations. For more details, refer to the Azure WAF pricing page.
Conclusion
Azure Front Door is an essential solution for businesses aiming to optimize web application performance, improve security, and ensure high availability globally. Whether you're leveraging the Standard or Premium tier, Azure Front Door enables fast content delivery with advanced load balancing and security features like DDoS protection and WAF. By understanding your needs and the available features, you can efficiently utilize Azure Front Door to enhance user experience and secure your applications at scale.
Comments