Choosing between Azure Front Door and Azure Application Gateway

In this blog, I will share my insights gained from using two Azure services, Azure Front Door and Azure Application Gateway that are similar in nature and the lessons I’ve learned. While these services can be used together in certain scenarios, typically you’ll opt for one or the other. Selecting the most suitable option for your requirements can result in significant savings both in terms of effort and operational expenses. Please note that this won’t be an exhaustive or comprehensive comparison of the two services, rather, I will only focus on some of the key aspects that significantly influence the decision-making process.

The Basics

Azure Front Door and Azure Application Gateway are similar services that offer load balancing and traffic management capabilities. While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a global service whereas Application Gateway is a regional service. Front Door is also a Content Delivery Network (CDN) platform designed for global traffic management and acceleration while Application Gateway is primarily focused on application-level routing and load balancing within a specific region or virtual network.

Use Case and Options

In this section, let’s explore a common use case for which either Front Door or Application Gateway can be deployed. The use case entails the following requirements:

· Securely publish a Web Application

· Disaster Recovery across two geographical regions

· Blue-Green deployment model within a region

· Automatic failover of user traffic to the application

· WAF (Web Application Firewall) inspection for inbound traffic

For the given use case, I will present two options, both of which fulfill the above requirements. The first option will exclusively rely on Azure Front Door. On the other hand, the second option will utilize Azure Application Gateway in combination with Traffic Manager for global load balancing and failover to provide the same set of functionalities.

Option 1 — Azure Front Door

Option 2 — Application Gateway in combination with Traffic Manager

A quick glance at the above diagrams will reveal that Option 2 is more complex with additional resources while Option 1 is significantly simpler, relying on fewer resources, which makes it a more cost-effective and efficient choice to manage.

While Option 1 appears to be the go-to choice and a no-brainer due to its simplicity and resource efficiency, when you delve deeper into the more advanced capabilities and characteristics of Azure Application Gateway and Azure Front Door, the decision between the two options becomes less straightforward. In the next section, we will talk about some of the key features that could influence making the final choice.

Benefits of Option 1 — Why should you choose Azure Front Door?

Azure Front Door offers certain advantages over Azure Application Gateway, particularly in the following key areas:

Cost Savings and Efficiency

Reduced number of instances, for the above use case only one Front Door instance is required against three Application Gateway instances. The cost per instance of Azure Front Door Premium and Azure Application Gateway are similar (approx. £260 per instance per month) meaning savings of at least £520 per month (excluding further savings from Traffic Manager) for this particular use case.

Faster Failovers

Azure Front Door boasts a distinct advantage over DNS-based solutions, such as Azure Traffic Manager. In Option 2, where Traffic Manager is utilized in combination with Application Gateway, updates are reliant on the DNS infrastructure, which can lead to potential delays due to waiting for the Time-To-Live (TTL) values to expire. This can result in slower response times when redirecting traffic during failover scenarios.

By leveraging Azure Front Door’s direct, non-DNS-based approach to traffic routing and failover, Option 1 presents a more efficient and rapid solution for ensuring high availability and minimizing downtime in the face of regional disruptions.

Managed Certificates

Azure Front Door provides complete certificate management, handling all aspects of certificate procurement and management on your behalf. With this service, you don’t need to worry about dealing with certificates manually. Front Door automatically provisions and renews certificates well before their expiration, mitigating any risks of service interruptions due to expired certificates.

There are no additional charges for acquiring or renewing certificates as Azure Front Door offers the certificate management functionality for free. By taking care of certificate-related tasks seamlessly, Azure Front Door simplifies the process of securing your applications and ensuring continuous and uninterrupted delivery of your services.

Benefits of Option 2 — Why should you choose Azure Application Gateway?

While Azure Front Door meets all requirements of the given use case more cost-efficiently there are certain scenarios for which Application Gateway will be the better choice.

Mutual Authentication

Application Gateway supports mutual authentication which allows it to authenticate the client that is sending requests. Usually, only the client is authenticating the Application Gateway, but mutual authentication allows for both the client and the Application Gateway to authenticate each other.

For mutual authentication, you can upload a trusted client CA certificate(s) to the Application Gateway, and the gateway will use that certificate to authenticate the client sending a request to the gateway. With the rise in IoT use cases, mutual authentication provides a way for you to better manage and control which clients can talk to your Application Gateway.

Azure Front Door doesn’t support client/mutual authentication.

Data Residency

The data handling in Azure Application Gateway is limited to the geographic regions where it operates, ensuring that data never leaves those regions. However, with Azure Front Door, data can be routed globally. The data may be cached at edge locations worldwide based on the origin of the incoming request, with the caching behaviour customizable using the Front Door’s rules engine. While caching could raise data residency concerns, Azure Front Door does have capabilities to disable caching to address specific requirements.

One other aspect of Front Door that can also impact data residency is its handling of Transport Layer Security (TLS). While Front Door provides end-to-end TLS, it achieves this by decrypting traffic at the edge location and re-encrypting it before forwarding it to the backend. The TLS decryption and encryption occur at the edge locations closest to the client generating the request, regardless of the backend region. For instance, if a user in Australia accesses a service hosted in the UK, the request would get decrypted (for inspection by Azure Front Door) in Australia before being re-encrypted and forwarded to the UK.

Whether this arrangement complies with data residency policies or not is debatable, but it’s still important to be aware of this scenario to make a fully informed decision and ensure it aligns with your specific data residency and compliance requirements.

Connection Draining

Connection Draining is a feature supported by Application Gateway, but not available in Front Door. It plays a crucial role in achieving a graceful removal of backend pool members during planned service updates or when there are issues with backend health. With connection draining, Application Gateway ensures that any deregistering instances of a backend pool do not receive new requests while still allowing existing requests to complete within a configured time limit. This capability helps to maintain a smooth and uninterrupted user experience during backend changes or maintenance operations.

When should you use both Azure Front Door and Azure Application Gateway?

While it is indeed possible to use both Azure Application Gateway and Azure Front Door together by placing Application Gateway behind Front Door, these instances are not common. In most typical use cases, each service can independently fulfill the required functionalities.

However, there may be situations where you need certain mutually exclusive features, such as Managed Certificates, Connection Draining, or Faster Failovers, which are available in one service but not the other. In such cases, utilizing both Azure Application Gateway and Azure Front Door becomes necessary to achieve the desired functionalities.

Conclusion

Ultimately, the decision to use one service or the other, or both services together, will depend on the specific requirements and objectives of the application or service being deployed but I hope this blog helps you accelerate and enables you to make that decision faster.