Azure Front Door: Global Delivery
Master Azure Front Door for global HTTP load balancing β Standard vs Premium tiers, caching, Private Link origins, rules engine, and comparison with Application Gateway.
Azure Front Door: Global Delivery
Azure Front Door is a global Layer 7 load balancer with CDN, WAF, and acceleration built in. It uses Microsoftβs global edge network (200+ PoPs) to deliver content with the lowest latency.
Front Door is your global receptionist β users worldwide connect to the nearest edge location (118+ globally), and Front Door routes their request to the best backend using Microsoftβs private backbone. It combines global load balancing, CDN caching, and WAF in one service.
Front Door Tiers
| Feature | Standard | Premium |
|---|---|---|
| CDN / Caching | Yes | Yes |
| Custom domains + TLS | Yes | Yes |
| WAF β Custom rules | Yes | Yes |
| WAF β Managed rules (DRS) | No | Yes |
| WAF β Bot protection | No | Yes |
| Private Link origins | No | Yes β connect to origins without public IPs |
| Enhanced analytics | Basic reports | Advanced analytics + WAF logs |
| Origin health probes | Yes | Yes |
| Rules engine | Yes | Yes |
| DDoS protection | Built-in | Built-in + enhanced |
Exam Tip: The two Premium-only features the exam loves to test: managed WAF rules (DRS) and Private Link origins. If a question mentions connecting to a backend without a public IP through Front Door, the answer is Premium with Private Link.
Front Door Components
| Component | Purpose |
|---|---|
| Endpoint | The Front Door hostname clients connect to (e.g., myapp.azurefd.net or custom domain) |
| Route | Maps incoming URL patterns to an origin group. Includes protocol, caching, and rule set configuration. |
| Origin group | A set of origins that serve the same content. Load balancing and health probes are configured here. |
| Origin | The actual backend β App Service, Storage, VM public IP, custom hostname. Each origin has a priority and weight. |
| Rule set | Rules engine for modifying requests/responses (redirects, header rewrites, URL rewrites). |
Traffic flow:
Client β Edge PoP β Endpoint β Route (matches URL pattern)
β Origin Group (selects healthiest/fastest origin)
β Origin (your backend server)Caching and Acceleration
Front Door provides CDN capabilities built in:
- Caching: Static content is cached at edge PoPs. Configure caching per route β cache based on query string, headers, or full URL.
- Connection pooling: Front Door maintains persistent connections to origins, reducing latency.
- Split TCP: Client connects to the nearest edge PoP (fast). Edge PoP connects to origin over optimised Microsoft backbone (fast). This dramatically reduces cold-start latency.
Private Link Origins (Premium Only)
βοΈ Elenaβs scenario: Skyline Logistics wants to use Front Door for global delivery but doesnβt want their origin servers to have public IP addresses.
With Private Link origins:
- Front Door Premium connects to the origin through a private endpoint
- The origin doesnβt need a public IP β no internet exposure
- Supported origins: App Service, Storage, Internal Load Balancer, any Private Link service
This is powerful for security β your backend is completely private, and Front Door is the only entry point.
Rules Engine β Customising Traffic
The rules engine lets you modify requests and responses as they pass through Front Door:
Common rules:
- URL redirect: HTTP to HTTPS, www to non-www
- URL rewrite: Change the URL path before forwarding to origin (e.g., /v2/api/* to /api/*)
- Header modification: Add, remove, or overwrite request/response headers
- Cache override: Force caching or bypass for specific paths
- Route override: Send matching traffic to a different origin group
Conditions you can match:
- URL path, query string, HTTP method
- Request headers (Host, User-Agent, custom)
- Client IP address, geo-location
- Protocol (HTTP/HTTPS)
Rules are processed in order within a rule set. Multiple rule sets can be associated with a route.
Front Door vs Application Gateway
| Feature | Application Gateway | Azure Front Door |
|---|---|---|
| Scope | Regional | Global (200+ edge PoPs) |
| CDN/Caching | No | Yes β built-in |
| WAF | Yes (regional) | Yes (global edge) |
| Private Link origins | No | Yes (Premium) |
| Layer | Layer 7 (HTTP/HTTPS) | Layer 7 (HTTP/HTTPS) |
| Path routing | Yes | Yes |
| TLS termination | Yes | Yes |
| WebSocket | Yes | Yes |
| Best for | Regional web apps, internal apps | Global web apps, CDN, global WAF |
| Common pattern | Backend for Front Door | Frontend global entry point |
Common combination: Front Door (global entry) β Application Gateway (regional, with WAF) β Backend VMs. Front Door handles global distribution and caching, AG handles regional routing and additional WAF rules.
Key Takeaways
- Front Door is global Layer 7; Application Gateway is regional Layer 7
- Premium adds managed WAF rules, bot protection, and Private Link origins
- CDN caching and split TCP acceleration are built in
- Private Link origins keep backends completely private
- Front Door + Application Gateway is a common enterprise pattern
Test Your Knowledge
Elena needs global CDN with WAF managed rules and backend servers that have no public IPs. Which Front Door tier does she need?
What is the typical enterprise pattern for using Front Door with Application Gateway?
Next up: Choosing the Right Load Balancer β The decision guide for picking between LB, Traffic Manager, Application Gateway, and Front Door.