Chapter 9 of 12

Book 01 — Azure Networking Deep Dive

Azure Front Door and CDN

Azure Front Door is Microsoft's global anycast HTTP(S) load balancer and CDN that operates from 200+ PoPs on the Microsoft global network. It provides TLS termination at the edge, sub-second origin failover, WAF inspection, and — at the Premium SKU — Private Link origins that keep backend services off the public internet.

Front Door Overview

SKU Comparison

CapabilityStandardPremium
Global anycast routingYesYes
CDN cachingYesYes
WAFBasic (custom rules)Managed (DRS 2.1 + Bot Protection)
Private Link originNoYes
Security analyticsNoYes
Pricing basisPer GB + requestsPer GB + requests (higher)

Tip

Use Standard for global CDN and routing. Use Premium when origins must remain private (no public endpoint), or when bot protection and security analytics are required for compliance.

Anycast and Global Routing

Front Door uses anycast: all Front Door IP addresses are simultaneously advertised from every PoP. When a client resolves the Front Door FQDN, BGP routes the DNS response to the geographically nearest PoP. The client's TLS handshake completes at that PoP — minimising RTT — and traffic travels over the Microsoft backbone to the origin.

Front Door anycast architecture. EU client connects to Amsterdam PoP. NA client connects to Virginia PoP. APAC client connects to Singapore PoP. All PoPs share the same anycast IP and route traffic over the Microsoft backbone to the shared origin.
Figure 9.1 — Front Door anycast: each region's client connects to the nearest PoP; Microsoft backbone carries traffic to origin

Routing Methods

MethodBehaviourUse Case
LatencySends to lowest-latency origin (measured by health probe)Default; best for active-active multi-region
PriorityPrimary origin handles all traffic; secondary if primary failsActive-passive DR
WeightedSplits traffic by weight (e.g. 90/10 blue-green)Canary releases, gradual migration
Session AffinityRoutes repeat clients to same originStateful applications (shopping carts)

Configuration: Endpoint, Origins, Route

bash
# Create Front Door Premium profile
az afd profile create \
  --profile-name afd-web --resource-group rg-app \
  --sku Premium_AzureFrontDoor

az afd endpoint create \
  --endpoint-name ep-web \
  --profile-name afd-web --resource-group rg-app

az afd origin-group create \
  --origin-group-name og-web \
  --profile-name afd-web --resource-group rg-app \
  --probe-request-type HEAD \
  --probe-protocol Https --probe-path /health \
  --probe-interval-in-seconds 30 \
  --sample-size 4 --successful-samples-required 3

az afd origin create \
  --origin-name origin-appservice \
  --profile-name afd-web --resource-group rg-app \
  --origin-group-name og-web \
  --host-name myapp.azurewebsites.net \
  --origin-host-header myapp.azurewebsites.net \
  --priority 1 --weight 1000 --https-port 443

az afd route create \
  --route-name route-web \
  --endpoint-name ep-web \
  --profile-name afd-web --resource-group rg-app \
  --origin-group og-web \
  --https-redirect Enabled \
  --supported-protocols Http Https \
  --patterns-to-match "/*"

With Premium SKU, Front Door connects to origins via Private Link — the origin's public endpoint can be disabled entirely. Traffic from the PoP travels the Microsoft backbone and arrives via a Private Endpoint NIC in the origin VNet. The origin resource (App Service, Internal LB, AKS Ingress) must approve the connection.

Front Door Premium Private Link origin. Internet traffic arrives at PoP, WAF inspects, traffic travels Microsoft backbone to Private Endpoint in origin VNet. Origin has no public endpoint. Contrasted with Standard SKU which requires public endpoint.
Figure 9.2 — Premium: Private Link origin eliminates public exposure; origin approves the connection
bash
# Origin with Private Link (Premium only)
az afd origin create \
  --origin-name origin-private \
  --profile-name afd-web --resource-group rg-app \
  --origin-group-name og-web \
  --host-name myapp.azurewebsites.net \
  --origin-host-header myapp.azurewebsites.net \
  --enable-private-link true \
  --private-link-resource "/subscriptions/<sub>/.../sites/myapp" \
  --private-link-sub-resource-type sites \
  --private-link-request-message "Front Door origin"

Note

After creating the origin, navigate to the origin resource's Private endpoint connections blade and approve the connection. Front Door health probes will remain unhealthy until the Private Endpoint is approved.

WAF at the Edge

bash
# WAF Policy with Microsoft Default Rule Set
az network front-door waf-policy create \
  --name wafpol-fd --resource-group rg-app \
  --sku Premium_AzureFrontDoor --mode Prevention

az network front-door waf-policy managed-rules add \
  --policy-name wafpol-fd --resource-group rg-app \
  --type Microsoft_DefaultRuleSet --version 2.1

az afd security-policy create \
  --security-policy-name sec-pol-web \
  --profile-name afd-web --resource-group rg-app \
  --waf-policy ".../wafpol-fd" \
  --domains ep-web.z01.azurefd.net

Caching and CDN

Front Door caches at edge PoPs based on Cache-Control headers from the origin. Static assets (JS, CSS, images) should return Cache-Control: max-age=86400. Dynamic API routes should use a separate origin group with caching disabled, or return Cache-Control: no-store.

Lab: Front Door Standard Deployment

1

Front Door Standard with App Service Origin (CE-21)

bash
# CE-21: Front Door Standard + App Service origin
RG="rg-lab-ch09"; LOC="eastus2"
az group create --name "$RG" --location "$LOC"

az appservice plan create --name plan-lab \
  --resource-group "$RG" --sku B1 --location "$LOC"

APP_NAME="lab-origin-$RANDOM"
az webapp create --name "$APP_NAME" \
  --resource-group "$RG" --plan plan-lab

az afd profile create \
  --profile-name afd-lab --resource-group "$RG" \
  --sku Standard_AzureFrontDoor

az afd endpoint create \
  --endpoint-name ep-lab \
  --profile-name afd-lab --resource-group "$RG"

# Clean up
az group delete --name "$RG" --yes --no-wait

Summary

ConceptKey Fact
AnycastDNS resolves to nearest PoP; TLS terminated at the edge
Standard vs PremiumPremium adds Private Link origin + managed WAF + bot protection
Private Link originOrigin approves connection; no public endpoint needed
WAF at edgeBlocks attacks before they reach origin, reduces origin load
Routing: LatencyDefault; sends to lowest-latency origin per health probe
Routing: PriorityActive-passive DR; secondary if primary health fails
CachingControlled by Cache-Control; disable for dynamic API routes

Chapter 10 covers Network Security — NSG rule evaluation, Azure Firewall with Firewall Policy, and DDoS Protection tiers.


Chapter: 9 of 12  |  Status: v0.1 Draft  |