Azure Front Door

Azure Front Door is Microsoft's global CDN and load balancer service. It leverages Points of Presence (PoPs) distributed worldwide to provide fast delivery, high availability, and security for web applications.

Overview

Azure Front Door integrates the following capabilities:

Global Load Balancing: Distributes traffic across multiple regions
CDN (Content Delivery Network): Edge caching of static content
SSL/TLS Termination: HTTPS processing at the edge to reduce backend load
WAF (Web Application Firewall): Threat detection and blocking at the edge
Path-Based Routing: Routes traffic to backends based on URL path
Health Probes: Backend health monitoring and automatic failover

Standard vs Premium

Azure Front Door offers two tiers: Standard and Premium.

Feature Comparison

Feature	Standard	Premium
CDN & Caching	✅	✅
Global Load Balancing	✅	✅
SSL/TLS Termination	✅	✅
Custom Domains	✅	✅
Path-Based Routing	✅	✅
WebSocket Support	✅	✅
WAF (Managed Ruleset)	✅ Microsoft Default Ruleset	✅ Microsoft Default Ruleset + Bot Manager
WAF (Custom Rules)	✅ Basic custom rules	✅ Full features
WAF (Rate Limiting)	✅	✅
WAF (Bot Manager)	❌	✅
WAF (Anomaly Scoring)	❌	✅
Private Link Origin	❌	✅
Microsoft Threat Intelligence	❌	✅
Security Reporting	Basic	Detailed (WAF Dashboard)
SLA	99.99%	99.99%

Cost Comparison

※ Prices are subject to change. Always refer to the Azure pricing page for the latest information.

Main Cost Components

Cost Item	Standard	Premium
Base fee (monthly)	~$35	~$330
Data transfer (egress)	Tiered pricing by bandwidth	Tiered pricing (slightly higher)
Request fees	HTTP/HTTPS request count	HTTP/HTTPS request count
WAF policy	Included (basic features)	Included (full features)
Private Link origins	Not supported	Additional cost per connection

Cost Selection Guidelines

Standard is sufficient when: General websites, requirements met by managed ruleset + custom rules only, bot protection not needed for internal systems
Premium is required when: Bot protection is critical (finance, e-commerce), need to keep backends private (Private Link), or need advanced security analytics and reporting

Note: Premium costs approximately 10x more than Standard in base fees. Analyze your WAF policy complexity and protection requirements before selecting.

WAF Details

What You Can Do with WAF Standard

Standard tier provides essential WAF capabilities.

✅ Available Features

1. Microsoft Default Ruleset (DRS)

OWASP CRS-based managed ruleset
Automatically blocks common attacks: SQL injection, XSS, LFI/RFI, etc.
Regularly updated and maintained by Microsoft

Covered Attack Types:
- SQL Injection
- Cross-Site Scripting (XSS)
- Local/Remote File Inclusion (LFI/RFI)
- Command Injection
- Protocol Violations

2. Custom Rules (Basic)

Allow/deny lists based on source IP addresses
Condition matching on HTTP headers, query parameters, and request body
Geographic blocking (GeoMatch conditions)
Rate limiting rules

// Example: Block specific IP range
{
  "name": "BlockSpecificIP",
  "priority": 100,
  "ruleType": "MatchRule",
  "action": "Block",
  "matchConditions": [
    {
      "matchVariables": [{ "variableName": "RemoteAddr" }],
      "operator": "IPMatch",
      "matchValues": ["203.0.113.0/24"]
    }
  ]
}

3. Rate Limiting

Limits request counts based on specific conditions (IP, path, etc.)
Can be used for DDoS mitigation (though large-scale DDoS requires Azure DDoS Protection)

4. Detection Mode / Prevention Mode

Detection Mode: Matches rules but only logs without blocking (useful for initial deployment and tuning)
Prevention Mode: Blocks requests that match rules

❌ Features NOT Available in Standard

Bot Manager Ruleset: Automatic identification and blocking of malicious bots and scanners
Anomaly Scoring Mode: Evaluates multiple rule matches using a cumulative score (reduces false positives)
Microsoft Threat Intelligence Integration: Real-time matching against known malicious IPs
Detailed WAF Dashboard: Security event visualization and analysis reports

What You Can Do with WAF Premium

Premium tier includes all Standard features plus the following:

Bot Manager Ruleset

Microsoft-managed Bot identification ruleset.

Bot Category	Description	Default Action
Verified good bots	Googlebot, Bingbot, etc.	Allow
Unverified good bots	General crawlers	Log
Malicious bots	Scanners, attack tools	Block
Unknown bots	Uncategorized	Log

Bot Manager automatically blocks malicious bots without impacting SEO crawlers.

Anomaly Scoring Mode

Uses the OWASP CRS anomaly scoring model. Each rule is assigned a severity score, and a request is only blocked when the cumulative score exceeds the threshold.

Minor violation:    +1 point
Moderate violation: +2 points
Critical violation: +5 points
Default threshold:  Block at 5+ points

This reduces false positives from single rule matches and improves accuracy in blocking actual attacks.

Microsoft Threat Intelligence Integration

Provides real-time matching and blocking against known malicious IP addresses and URLs collected by Microsoft's security teams.

Private Link Origin Connection (Premium Only)

Keeps backends (App Service, Azure Kubernetes Service, etc.) private from the internet while allowing access only through Front Door.

This allows you to completely block direct internet access to your App Service or AKS backend while enabling secure access only through Front Door.

Front Door vs Application Gateway

Azure Application Gateway and Azure Front Door are both Layer 7 (HTTP/HTTPS) load balancers, but they are designed with different goals.

Service Comparison

Item	Azure Front Door	Azure Application Gateway
Scope	Global (multi-region)	Regional (single region)
Deployment	PaaS service (managed)	Deployed inside VNet
CDN	✅ Integrated	❌ None
SSL/TLS Termination	Edge (global PoPs)	Regional within VNet
Backend Target	Via internet or Private Link	Inside VNet or public endpoints
WAF	✅ Integrated (Standard/Premium)	✅ Integrated (WAF_v2 SKU)
Cookie Affinity (Sticky Sessions)	Limited	✅ Comprehensive
URL Rewrite	✅	✅
Custom Error Pages	✅	✅
WebSocket	✅	✅
gRPC	❌	✅
mTLS (Client Certificate Auth)	❌	✅
VNet Private Traffic	Premium (Private Link)	✅ Native
Cost Trend	Standard: low, Premium: high	Depends on SKU and capacity

Decision Criteria

When to Choose Azure Front Door

Global applications: Low-latency delivery to users worldwide
Multi-region availability: Automatic failover to backends in multiple regions
CDN integration: Edge-cache and deliver static content
Edge WAF: Block threats closest to the user
Global SSL termination: Terminate HTTPS at edge PoPs worldwide to reduce backend load

When to Choose Application Gateway

VNet-internal routing: All traffic must stay within the VNet
mTLS: Client certificate authentication required
gRPC backends: Microservices using the gRPC protocol
Advanced session management: Legacy apps requiring cookie-based session affinity
Single-region web apps: Internal systems that don't need global distribution

Combining Front Door + Application Gateway

Large enterprises may combine both services.

Benefits of this combination:

Front Door blocks global threats at the edge
Application Gateway provides fine-grained regional routing control
Backends can be completely isolated within the VNet

However, costs increase significantly, so carefully evaluate your requirements before adopting this approach.

Best Practices

1. Start WAF in Detection Mode

When introducing WAF in a production environment, always start in Detection Mode and switch to Prevention Mode after analyzing logs.

Steps:
Configure WAF policy in Detection Mode
Collect logs for 1-2 weeks (Azure Monitor / Log Analytics)
Identify false positives (legitimate requests being flagged)
Add false positive rules to the exclusion list
Switch to Prevention Mode

2. Managed Ruleset Version Management

The DRS (Microsoft Default Ruleset) is updated periodically.

When a new version is released, evaluate it in Detection Mode first before applying
For critical applications, consider disabling auto-upgrade for DRS and managing versions manually

3. Custom Rule Priority Design

Custom rules are evaluated before the managed ruleset. Priority design is critical.

Recommended Priority Design:
1-99:    IP allowlist (allow trusted IPs first)
100-199: Geographic blocking
200-299: Rate limiting
300+:    IP blocklist and other blocking rules

4. Protect Backends with Private Link (Premium)

When using Premium tier, configure Private Link for your App Service or AKS backend to block direct internet access.

// Disable public access on App Service (Bicep example)
resource appService 'Microsoft.Web/sites@2022-09-01' = {
  name: 'app-myapp-prod'
  location: resourceGroup().location
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}

5. Configure Health Probes Properly

Provide a dedicated lightweight endpoint for backend health probes.

Recommended Settings:
- Probe path: /health or /healthz
- Protocol: HTTPS
- Interval: 30-60 seconds
- Probe method: HEAD (lower load than GET)

6. Configure Caching Appropriately

Aggressively cache static resources, but disable caching for API endpoints.

Static content (CSS, JS, images):
- Enable caching
- Cache duration: 1 day to 1 week
- Set Cache-Control headers explicitly

APIs and dynamic content:
- Disable caching
- Set Cache-Control: no-store

7. Combine with DDoS Protection

Azure Front Door's WAF rate limiting has limits against large-scale DDoS. For critical services, consider combining with Azure DDoS Protection.

Recommended Architecture:
- Azure DDoS Protection Standard: Large-scale L3/L4 network attack protection
- Azure Front Door WAF: L7 application layer attack protection

8. Configure Logging and Monitoring

Always send WAF logs to Azure Monitor / Log Analytics and set up alerts.

// KQL query to aggregate requests blocked by WAF
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize count() by ruleName_s, clientIP_s
| order by count_ desc
| take 20

Summary

Aspect	Standard	Premium
Cost	Low (~$35+/month)	High (~$330+/month)
WAF Features	Managed ruleset + custom rules	Adds Bot Manager and threat intelligence
Backend Protection	Internet access only	Private Link for private connectivity
Best Suited For	General websites and APIs	High-security requirements (finance, e-commerce)

Choose Azure Front Door when you need global delivery, CDN, and edge WAF
Choose Application Gateway when you need VNet-internal routing, mTLS, or gRPC
Always start WAF in Detection Mode, tune it, then switch to Prevention Mode
Justifying Premium's higher cost depends on using Bot Manager or Private Link

Overview​

Standard vs Premium​

Feature Comparison​

Cost Comparison​

Main Cost Components​

Cost Selection Guidelines​

WAF Details​

What You Can Do with WAF Standard​

✅ Available Features​

❌ Features NOT Available in Standard​

What You Can Do with WAF Premium​

Bot Manager Ruleset​

Anomaly Scoring Mode​

Microsoft Threat Intelligence Integration​

Private Link Origin Connection (Premium Only)​

Front Door vs Application Gateway​

Service Comparison​

Decision Criteria​

When to Choose Azure Front Door​

When to Choose Application Gateway​

Combining Front Door + Application Gateway​

Best Practices​

1. Start WAF in Detection Mode​

2. Managed Ruleset Version Management​

3. Custom Rule Priority Design​

4. Protect Backends with Private Link (Premium)​

5. Configure Health Probes Properly​

6. Configure Caching Appropriately​

7. Combine with DDoS Protection​

8. Configure Logging and Monitoring​

Summary​