Azure Front Door Best Practices

4 min readSep 30, 2022

These are some of the best practices that I incorporate in my Azure Front Door implementation designs/architectures.

1). Use either Azure Traffic Manager or Azure Front Door

Use either Azure Traffic Manager or Azure Front Door but avoid using both. The main reason for using one or the other is cause both have designed to address different use cases. If you combine both Front Door and Traffic Manager together, it’s unlikely that you’ll increase the resiliency or performance of your solution. Also, if you have health probes configured on both services, you might accidentally overload your servers with the volume of health probe traffic.

So when do we use Azure Traffic Manager and when to use Azure Front Door ?

What I realize is that if you need content caching and delivery (CDN), TLS termination, advanced routing capabilities, or a web application firewall (WAF), consider using Front Door and if the use case requires simple global load balancing with direct connections from your client to your endpoints, consider using Traffic Manager.

So best practice is to use either Front Door architecture

2). Use End to End TLS

Front Door terminates TCP and TLS connections from clients. It then establishes new connections from each point of presence (PoP) to the origin. It’s a good practice to secure each of these connections with TLS, even for origins that are hosted in Azure. This approach ensures that your data is always encrypted during transit. The workflow for an end to end TLS with Azure Front Door is something like this :

3). Use HTTP to HTTPS redirection

Use HTTPS for clients to connect to your service instead of HTTP. Sometimes you need to accept HTTP requests to allow for older clients or clients who might not understand the best practice.

You can configure Front Door to automatically redirect HTTP requests to use the HTTPS protocol. You should enable the Redirect all traffic to use HTTPS setting on your route

4). Use latest version of Managed TLS Certificates

When Front Door manages your TLS certificates, it reduces your operational costs, and helps you to avoid costly outages caused by forgetting to renew a certificate. Front Door automatically issues and rotates managed TLS certificates

5). Enable Azure WAF on Azure Front Door

For internet-facing applications, we recommend you enable the Front Door web application firewall (WAF) and configure it to use managed rules. When you use a WAF and Microsoft-managed rules, your application is protected from a range of attacks

6). Use Health Probes in Azure front Door

Front Door’s health probes are designed to detect situations where an origin is unavailable or unhealthy. When a health probe detects a problem with an origin, Front Door can be configured to send traffic to another origin in the origin group.

Note : If you only have a single origin, Front Door always routes traffic to that origin even if its health probe reports an unhealthy status. The status of the health probe doesn’t do anything to change Front Door’s behavior. In this scenario, health probes don’t provide a benefit and you should disable them to reduce the traffic on your origin

7). Incorporate Private Endpoint with Azure Front Door

A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that’s powered by Azure Private Link. By enabling a private endpoint, you’re bringing the service into your virtual network.

The service could be an Azure service such as: