Last updated: May 2026

Azure Networking Intermediate AZ-104 ⏱ 11 min read

Azure Front Door

Azure Front Door is Microsoft's global content delivery network (CDN) and intelligent HTTP/HTTPS load balancer. It sits at the edge of Microsoft's global network — routing user requests to the fastest, healthiest backend anywhere in the world. It combines CDN caching, global load balancing, SSL termination, WAF protection, and URL routing into one service.

What you'll learn What Azure Front Door is and when to use it · Front Door Standard vs Premium tiers · Global load balancing and routing methods · CDN caching · WAF integration · Health probes and failover · Custom domains and HTTPS · Front Door vs Traffic Manager vs Application Gateway

Table of Contents

What is Azure Front Door?
Front Door Tiers
How Front Door Works
Routing Methods
CDN Caching
WAF Integration
Health Probes and Failover
Custom Domains and HTTPS
Front Door vs Traffic Manager vs App Gateway
Practice Questions

What is Azure Front Door?

Azure Front Door is a global, scalable entry point for web applications. It uses Microsoft's global anycast network — with over 100 edge locations worldwide — to bring your application close to users everywhere. Key capabilities:

Global HTTP/HTTPS load balancing — Route to the best backend globally
CDN caching — Cache content at edge locations near users
SSL offloading — Terminate SSL/TLS at the edge
WAF — Protect against web attacks at the global edge
URL routing — Path and hostname-based routing
Instant failover — Automatically routes around failed backends

ℹ️

Front Door = Global App Gateway + CDN Think of Front Door as Application Gateway deployed globally with built-in CDN. Where App Gateway handles HTTP traffic within a single region, Front Door handles it across all regions simultaneously.

Front Door Tiers

Tier	Key Features	Best For
Standard	CDN, custom domains, SSL, URL routing, health probes	Static content delivery, simple load balancing
Premium	Standard + WAF, Private Link integration, advanced security, bot protection	Enterprise web apps, security-sensitive applications

How Front Door Works

When a user requests your website:

DNS resolves your domain to a Front Door anycast IP
The request is routed to the nearest Front Door edge PoP
Front Door checks if the response is cached — if so, returns it immediately
If not cached, Front Door selects the best backend (lowest latency, healthiest) and proxies the request
The response is cached at the edge for future requests
Front Door returns the response to the user

Because Front Door terminates the connection at the edge (near the user) and maintains a persistent warm connection to the backend, round-trip latency for users worldwide is dramatically reduced.

Routing Methods

Front Door can route traffic across origins (backends) using different methods:

Method	How It Works	Use When
Latency (default)	Route to the backend with lowest latency from the edge PoP	Best performance for users
Priority	Route to primary backend; failover to secondary if primary fails	Active-passive failover
Weighted	Distribute traffic by weight (e.g., 80% to prod, 20% to canary)	Canary releases, blue-green deployments
Session affinity	Same user always goes to same backend	Stateful applications

CDN Caching

Front Door caches static content (images, CSS, JS, HTML) at edge locations. Subsequent requests for the same content are served from the cache — no round-trip to your origin needed.

Caching Rules

Configure cache duration per route
Cache based on query strings
Purge specific paths or all cached content when needed

Cache Hit Ratio

Monitor your cache hit ratio in Front Door metrics. A high cache hit ratio (80%+) means most requests are served from cache — reducing origin load and improving latency.

WAF Integration

Front Door Premium includes a Web Application Firewall at the global edge — protecting all your origins simultaneously. The WAF runs at the edge before traffic reaches your backends — blocking attacks without them ever reaching your servers.

WAF Policy

A WAF policy defines managed rule sets (OWASP) and custom rules. The same WAF policy can be shared across multiple Front Door endpoints — centralised security management.

Health Probes and Failover

Front Door continuously probes origin health. When an origin fails health checks:

Front Door detects the failure within ~30 seconds
Stops routing new requests to the failed origin
Continues routing to healthy origins
Automatically resumes routing to the origin when it recovers

This gives you automatic multi-region failover — if your primary region goes down, Front Door routes to your secondary region automatically, with near-zero downtime for users.

Custom Domains and HTTPS

Front Door provides free managed SSL certificates for custom domains. Setup:

Add your custom domain to Front Door
Create a CNAME in your DNS: www.contoso.com → contoso.azurefd.net
Enable HTTPS — Front Door provisions a managed certificate automatically
Front Door renews the certificate before expiry

Front Door vs Traffic Manager vs App Gateway

Feature	Front Door	Traffic Manager	App Gateway
OSI Layer	Layer 7	DNS (Layer 3/4)	Layer 7
Scope	Global	Global	Regional
Protocol	HTTP/HTTPS	Any	HTTP/HTTPS
CDN	✅ Yes	❌ No	❌ No
SSL termination	✅ Yes	❌ No	✅ Yes
WAF	✅ Yes (Premium)	❌ No	✅ Yes (WAF SKU)
URL routing	✅ Yes	❌ No	✅ Yes
Failover speed	Fast (~seconds)	Slow (~DNS TTL)	Fast

💡

AZ-104 Exam Tip Know that Front Door is global (Traffic Manager is also global, App Gateway is regional). Know Front Door supports CDN, WAF, SSL offloading, and URL routing. Know Front Door uses anycast so users connect to the nearest edge PoP. Know the difference between Front Door and Traffic Manager — Front Door is a Layer 7 proxy; Traffic Manager is DNS-based only.

📝 Practice Questions

Click an option to check your answer. AZ-104 style questions.

Q1. What makes Azure Front Door "global" compared to Application Gateway?

A Front Door supports more protocols than Application Gateway

B Front Door operates from 100+ edge locations worldwide; Application Gateway is deployed in one region

C Front Door includes WAF; Application Gateway does not

D Front Door supports custom domains; Application Gateway does not

Q2. A company wants to route 80% of traffic to production backends and 20% to a canary release. Which Front Door routing method should they use?

A Latency routing

B Priority routing

C Weighted routing

D Session affinity routing

Q3. How does Azure Front Door provide automatic failover when a backend region fails?

A Administrators must manually update DNS records to point to the secondary region

B Health probes detect failure automatically and Front Door routes to healthy backends within ~30 seconds

C After a 5-minute timeout, Azure automatically redirects traffic

D Users must reconnect — Front Door cannot redirect existing connections

Q4. Which Azure Front Door tier includes Web Application Firewall (WAF) and Private Link integration?

A Standard tier

B Premium tier

C Enterprise tier

D Both Standard and Premium tiers

Q5. What is the key difference between Azure Front Door and Azure Traffic Manager?

A Front Door is regional; Traffic Manager is global

B Front Door is a Layer 7 HTTP proxy with CDN and WAF; Traffic Manager is DNS-based routing only

C Front Door only supports HTTPS; Traffic Manager supports all protocols

D Front Door does not support failover; Traffic Manager does

← Previous Azure Application Gateway Next → Azure Traffic Manager

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.