Knock Knock; Who’s there?
Azure Front Door!
Introduction
Imagine you have an online store that you want to share with people all over the world. You want everyone to have a smooth, fast and safe shopping experience, no matter where they are. The online store is hosted on Microsoft Azure, and you’re looking for a resource to make your website faster, more secure, and always available. In your search you stumble across ‘Azure Front Door’ … But what is it?
Azure Front Door is a globally dispersed Application Delivery Network (ADN). It is a Content Delivery Network (CDN), Web Application Firewall (WAF), Layer 7 Load balancer and much more, All in one Azure resource!
Microsoft is so confident in Azure Front Door that their own services such as Bing, Skype, LinkedIn, Microsoft 365 and even the Azure Portal all utilise the service to provide higher availability, lower latency, better scale, and more secure experience for their users.
With such a multifaceted resource it’s obvious there are many reasons you might decide to implement it in your environment, but let us talk through and explore some of these a little.
It’s web traffic only from here on out
A quick note at this point; if you’re looking for a solution to route traffic to your applications via protocols other than HTTP, HTTPS and HTTP/2 then you might as well stop here, pay your tab and look elsewhere. Azure Front Door only supports HTTP based traffic, and although this is supported over non standard ports it is the only protocol we’ll see pass through from here. This includes you WebSockets, have a look at Azure Application Gateways and Traffic Manager if you need other protocol support as Front Door is not the tool for you.
Azure Front Door
So let’s dive in through the front door and discover what Azure Front Door can provide you and your team, and why you should look at implementing it for your internet-facing HTTP(S) based applications!
Tiers of Azure Front Door
If you’ve been around the Azure landscape as long as I have then you might have seen some of the earlier iterations of Azure Front Door with a single tier. Since April 2022 Azure has been offering Standard and Premium tiers of Azure Front Door. The previous and already existing iterations of Azure Front Door have been retired and are now indicated as ‘classic’ resources. Although these classic resources will continue to be supported, they will miss out on future enhancements and latest capabilities.
In this blog, we’ll focus on the features of the Standard and Premium tiers, allowing you to use this information to either build a new instance or upgrade your current classic resource.
Let’s take a quick look at the differences between the available tiers. Microsoft has produced a nice full feature comparison between the Standard, Premium and classic resource tiers that I wouldn’t be able to beat. It’s worth a deeper look if you’re trying to decide which tier is right for you, but here we will look at the highlights.
Standard
Standard provides you with a wide range of features covering the core features of CDN, WAF, LB at a global scale, so you are not missing out on much if you decide to stay at a standard level.
Some highlights are:
- Static and Dynamic file and site delivery
- Custom Domains
- Origin Load balancing
- Custom WAF rules
- Advanced analytics, metrics, reports and logs (Access logs, WAF logs, Health probe logs)
Premium
Along with everything that the standard level provides, the main benefits Premium gives you over and above the Standard Tier are:
- Microsoft Managed rule set
- Bot Protection
- Private Link Connection to Origin sources
- WAF reports
- Increase of Quota limits
It’ll be down to your own requirements to decide which tier is correct for you, however as going down the tiers (Premium -> Standard) is not currently supported, it is always advised to start on the Standard tier and only upgrade if you find you require the additional features.
Placement
So where does a service called ‘Azure Front Door’ sit in your infrastructure stack?
No surprises here, Azure Front Door sits at the start of your infrastructure estate as the first point of contact users will get when they are looking for your applications.
DNS for your Website is pointed at the Azure Front Door endpoint using a CName and TXT record. The CName record is to direct traffic to the Front Door endpoint address, the TXT record to confirm domain ownership.
Azure Front door can even provide an Azure managed TLS/SSL certificate for your site, allowing you to communicate on HTTPS without the additional overheads of purchasing a separate certificate! Sites that do not have certificate based authentication rank lower on search results, potentially reducing the amount of customers that are directed at your site. Certificate-less sites also go against industry best practice and risk compromise of the systems security. By having Azure Front Door manage the SSL/TLS certificate for your site you reduce management overhead renewing certificates and reduce risk of certificates being missed and taking your site offline.
Once a user is directed to Front Door, the Front Door instance checks the health of your application servers, the validity of cached content and ensures the request is not an attack. As long as all is good Front Door will direct the user to the relevant content or application servers (or origin). If an Application server or Region is unavailable Front Door can direct the request to a different healthy endpoint or even a custom error page.
All is Good! The user is in your App!
If you want to read the full routing architecture overview Microsoft explains that here : https://learn.microsoft.com/en-us/azure/frontdoor/front-door-routing-architecture?pivots=front-door-standard-premium
Capabilities — Security
All sounds great so far! However, what happens if this isn’t some nice user trying to purchase your wares, and is instead an attacker looking to steal information from your website?! (Oh no! We Don’t want that!)
Azure Front Door has Web Application Firewall (WAF) capabilities that help to protect your Sites and Applications from attacks from these pesky individuals.
WAF policies can deny attacks such as SQL Injection, Cross site scripting and other known HTTP or HTTPS attacks with known signatures from accessing your systems. Managed rule sets in the premium tiers protect many common attacks and from bots. You are also able to restrict specific Regions and /or IPs from accessing your sites.
If the attacker tries to batter your site with a Distributed Denial of Service (DDoS) attack, it’ll come to no avail as Front Door is guarded with DDoS protection that has been proven to protect Microsoft’s enterprise and customer services from large-scale attacks. (Not this time attacker!)
Alongside the active protection you put in place when using Azure Front Door and WAF, some of the security best practices that Front Door can enable are:
- Limiting externally accessible endpoints by restricting traffic to origins from Front Door
- End to End TLS encryption
- HTTP to HTTPS redirects
So you are already better off by using Front Door from a security perspective, but let us continue to look at other reasons Front Door is worth your time.
Capabilities — CDN
Your storefront is going to have many images and content pieces that your customers will want to load so they understand what you are selling. These requests could go to your application servers every time, but the images and content won’t change that often meaning lots of repeated requests. Wouldn’t it be better to get customers looking at as much content as possible in the shortest period of time by speeding their requests up and reducing load on the application servers?
Content Delivery Networks (CDN) utilise caching to save standard requests and responses without having to send and wait for requests to go to and from the Origin servers. Caching these standard requests helps to speed up overall site resolution by hosting the content closer to the user, and it reduces the amount of traffic sent to origin servers by removing the duplicated requests for assets allowing application servers to focus on more intensive requests.
Static assets such as images, CSS and JavaScript files benefit most from caching. Dynamic assets should not be cached for many reasons such as data freshness, personalization, security and privacy. These dynamic assets should be separated and routed directly to the origin servers.
Speed is not the only reason having CDN capabilities is helpful, it can also help your applications manage peaks in traffic and demand.
Capabilities — Scalability and Availability
Christmas, Black Friday, spectacular deals or just the peaks and troughs of a standard day — there are many reasons your store or application will see high traffic and demand. There will also be times when disaster strikes and issues arise in your application that are caused by extreme weather, natural disasters or just standard accidents. It would be crushing if your application could not handle the pressure of these high demand scenarios and you lost out on that custom, or your application became unavailable in these disasters.
Azure Front Door is a globally hosted service which delivers content using Microsoft’s global network of hundreds of Points of Presence (PoPs) distributed across the world. This allows you to connect customers to your content with minimal latency, utilising Front Door’s CDN capability to store content close to users rather than having to be constantly transferred across regions.
It also enables you to handle higher demand more easily, providing many PoPs to scale and handle peak traffic loads, along with the CDN removing the repeated requests for content.
Being a globally distributed service also helps to increase the availability of your application. If an issue arose in a core region for your users they could be directed to a working region, continuing to allow them to access your applications with minimal disruption. Using Azure Front Door alongside geographically redundant application designs enables applications to handle disasters with ease.
Capabilities — Layer 7 Load Balancing
Having multiple instances of your store makes sense, whether it’s a physical bricks and mortar shop, or an application hosted in the cloud. Designing for resilience in this manner you can protect from incidents causing a loss of business by directing traffic to a different one of your stores if one has issues. This is exactly the same in a web application environment, we want to ensure business continuity in the event an instance becomes unavailable, so we need to direct traffic to a different location or instance.
This is where Front Door’s layer 7 load balancing comes into play, Front Door can keep an eye on application health and direct users to a working instance in the same region, or even another region if the application is set up to support it.
Sometimes applications will have specialisations just like your highstreet shop, and so you can do path based routing to direct specific requests to certain application backends. Maybe you have a different application handling payment requests than hosting your main website. Requests to /payment/* can be directed to this application to resolve.
By using Front Door you can direct traffic to healthy instances and specify the correct paths for users to traverse, helping to keep applications performant and reduce errors for the users.
Capabilities — Infrastructure as Code (IaC)
Whether it’s in a store or IT environment, having individuals implement changes to high importance systems necessitates care, which tends to slow the whole process down, and even when individuals are careful it doesn’t mean all mistakes are caught before tasks are deemed complete. Managing IT infrastructure in a manual way has fallen out of favor with IT professionals for these (and many more) reasons and so they now look to IaC to configure and manage their resources.
Infrastructure as Code (IaC) is an Industry standard for managing infrastructure. By defining the configuration of infrastructure assets as code, IT professionals can store, duplicate, run tests and gain confidence in the configurations, ensuring that when they are implemented to the high importance systems such as production level instances of Azure Front Door, that they are sure nothing will break.
Azure Front Door is available to be managed via a multitude of Infrastructure as code tools varying from Command line and scripting tools such as PowerShell and the Azure CLI, to templating tools such as ARM templates, Bicep and Terraform.
In the IaC deployments of Classic Azure Front Door with Terraform, the Front Door Azure resource was a single terraform resource with many configuration blocks to allow you to configure the frontends, routes, backends and more.
Being a single resource meant the Terraform configuration files for Front Door would be single long files that weren’t particularly easy to read or maintain and due to the complicated nature of the Front Door Resource these files would be hundreds of lines long to capture the full configuration of the resource.
With the move to the new Standard and Premium tiers of Azure Front Door resource comes a new set of Terraform resources for Azure Front Door.
These new resources break the original monolithic terraform files down into smaller chunks allowing them to be split over multiple files and even multiple configuration deployments. This makes management and understanding a lot clearer, it allows changes to be made in smaller increments and overall is a better way to manage the resource.
We would always advise having a test environment that is architected like the production environment as this enables you to test changes you want to make to production without affecting the user base. By using IaC it is easy to be able to duplicate the code, rename resources and then deploy a like-for-like instance to do testing on. If you are concerned about costs then these environments don’t have to stick around as the IaC enables you to spin them up and down as and when needed.
Microsoft provides quickstart guides for deploying Azure Front Door via Terraform, ARM template, Bicep, CLI, PowerShell and the portal.
You can get started easily and deploy Azure Front Door and test out what it can do for you.
In Summary
Whatever your HTTP(S) application is showing or selling to the world, it is important that your customers are kept safe, served quickly, consistently and want to come back and use your service again.
Azure Front Door helps you with these aims by providing industry leading WAF Protection, CDN request acceleration and Global availability and scalability to help ensure your customers always come away from your application happy.
With Microsoft’s quickstart guides you can easily setup an example instance of Azure Front Door to have a play and find out if it’s the right tool for you.
If you still need help…..well you know where we (Contino) are 😉
