Azure Load Balancer (Part 2)

Azure Load Balancer (Part 2)

What is Azure Front Door

Azure Front Door helps you deliver content, files, apps, and APIs with better availability, faster response times, and stronger security, no matter where your users are.

Microsoft's cloud-based Content Delivery Network (CDN) ensures fast, reliable, and secure access to static and dynamic web content. By using Microsoft's extensive global network, which has hundreds of points of presence (PoPs) worldwide, Azure Front Door brings your content closer to your users, whether they are businesses or consumers.

Azure Front Door
Azure Front Door helps internet-facing applications to:

  • Build modern, internet-first architectures that deliver high-quality digital experiences on secure, automated, and reliable platforms.
  • Speed up app and content delivery worldwide, helping you stay competitive, adapt quickly to changes, and respond to new demands.
  • Protect your digital assets with advanced security based on the Zero Trust model.

Key Benefits:

  • Global Scale: Use Microsoft’s network to enhance the performance of your apps and content with Cloud CDN and WAN services.
  • 118 Edge Locations: Improve app latency by up to 3 times using Azure’s private enterprise-grade WAN, connecting over 100 cities worldwide.
  • Boost App Performance: Front Door's anycast network and split TCP connections accelerate app performance.
  • SSL Offloading: Secure connections at the edge with SSL termination and integrated certificate management.
  • IPv6 and HTTP/2: Supports end-to-end IPv6 and the HTTP/2 protocol for better connectivity.

Deliver Modern Apps:

  • Cloud-Native Experiences: Modernize apps on Azure with cloud-native tools.
  • DevOps Integration: Seamlessly integrate with DevOps tools like CLI, PowerShell, ARM templates, and Bicep across various languages.
  • Custom Domain Setup: Easily define and validate custom domains.
  • Traffic Management: Load balance traffic, monitor app health, and route requests intelligently across Azure and other platforms.
  • Enhanced Edge Logic: Use advanced rules, regular expressions, and server variables to manage routing logic at the edge.
  • Integration: Works with other Azure services like DNS, Web Apps, and Storage for streamlined domain and origin management.
  • Monitoring: Real-time traffic monitoring, alerts with Azure Monitor, and detailed logging of every request and health check.

Simple and Cost-Effective:

  • Unified Delivery: Combines static and dynamic content delivery in a single tier, improving performance with caching, SSL offload, and DDoS protection (layers 3-4).
  • Managed SSL Certificates: Free, auto-rotating SSL certificates for quick security setup.
  • Simplified Pricing: Reduced billing complexity with a low entry fee and fewer cost meters.
  • Integrated Egress Pricing: No separate egress fees between Azure regions and Azure Front Door, making cost management simpler.

Azure Front Door Classic

Azure Front Door (classic) is a global service that helps create fast, secure, and scalable web applications by using Microsoft's worldwide edge network. It allows you to turn your consumer and business applications into high-performing, modern apps that can reach users across the globe.

Front Door (classic) operates at the HTTP/HTTPS level (Layer 7) and uses advanced networking techniques to improve connection speed worldwide. It routes user requests to the fastest and most available application backend, whether hosted in Azure or elsewhere on the internet.

Front Door (classic) offers different methods for directing traffic and monitoring the health of your backends, ensuring reliability and automatic failover if something goes wrong. Like Traffic Manager, it is designed to handle failures, even in the event of an entire Azure region going offline.

Azure Front Door (Classic)

Why use Azure Front Door (classic)?

Azure Front Door (classic) helps you build, manage, and scale your web applications and content globally. It optimizes web traffic routing for better performance and reliability, with fast global failover to ensure availability. Key features include:

  • Improved app performance using advanced networking (split TCP and anycast).
  • Intelligent monitoring of your backend resources to check their health.
  • Route requests based on specific URL paths.
  • Host multiple websites efficiently on the same infrastructure.
  • Maintain user sessions with cookie-based session affinity.
  • SSL offloading and easy certificate management for secure connections.
  • Support for custom domains.
  • Built-in security with Web Application Firewall (WAF).
  • Automatically redirect HTTP traffic to HTTPS for added security.
  • Customize forwarding paths with URL rewriting.
  • Support for IPv6 connectivity and the HTTP/2 protocol.

Comparison between Azure Front Door and Azure CDN:

Azure Front Door and Azure CDN are both services that deliver content globally, using intelligent routing and caching to improve the speed and performance of your applications. They both use a network of locations (points of presence or PoPs) around the world to bring content closer to your users.

Both services also offer features to enhance security, protect your applications from attacks, and provide tools to monitor the health and performance of your apps.

This quickstart walks you through setting up an Azure Front Door profile using the Azure portal. You have two ways to create a profile: Quick Create and Custom Create. The Quick Create option lets you set up basic settings quickly, while Custom Create allows for more advanced configuration.

In this guide, you'll use the Custom Create option. First, you'll deploy two App Services to act as your origin servers. Then, you'll set up the Azure Front Door profile to route traffic to these App Services using specific rules. Finally, you'll test the connection by accessing your App Services through the Azure Front Door's frontend hostname.

Create Front Door Profile - By Azure portal        

1. Sign in to the Azure portal.

2. To create a new Front Door profile, go to the home page or Azure menu and click on + Create a resource. In the search box, type "Front Door and CDN profiles" and select Create.

3. On the Compare Offerings page, choose Quick Create and then click Continue to proceed with creating a Front Door profile.

4. On the Create a Front Door profile page, fill in the required information.

5. Click Review + Create, and then select Create to deploy your Azure Front Door profile.

Create Front Door Profile - Custom Create:

Earlier, We used Quick Create to set up an Azure Front Door profile with basic settings. Now, you'll create a profile using the Custom Create option and deploy two App Services that will act as the origins for your Azure Front Door profile.

Create Two Web App Instances

If you already have services you want to use as origins, you can skip to the step where you create a Front Door for your application.

This example will guide you through creating two Web App instances, each deployed in a different Azure region. Both instances will be in Active/Active mode, meaning they can both handle incoming traffic at the same time. This is different from an Active/Standby setup, where one app is a backup.

To create the two Web Apps, follow these steps:

1. Sign in to the Azure portal.

2. To create the first Web App, click + Create a resource in the top left corner of the portal. In the search box, type "Web App" and select Create to configure it.

3. On the "Create Web App" page, fill out the required information under the Basics tab.

4. After reviewing the settings, click Review + Create, and then click Create to begin deploying the Web App. This may take a minute.

5. To create the second Web App, follow the same steps as the first one, but make the necessary changes to the settings as required for the second instance.

Create a Front Door for Your Application:

In this step, you'll set up Azure Front Door to direct user traffic to the nearest Web App based on latency. You'll also apply a Web Application Firewall (WAF) policy to protect your Azure Front Door from attacks.

1. Sign in to the Azure portal.

2. Click + Create a resource on the home page or in the Azure menu. Search for "Front Door and CDN profiles" and select Create.

3. On the "Compare offerings" page, choose Custom Create and then click Continue to create a Front Door.

4. On the Basics tab, enter or select the required information, and then click Next: Secret.

5. Optional: If you plan to use managed certificates, you can skip this step. If you have an existing Azure Key Vault with a certificate for a custom domain, click Add a certificate. You can also add a certificate later.

6. In the Endpoint tab, click Add an endpoint, enter a unique name (e.g., "contoso-frontend"), and then click Add. You can create more endpoints after deployment.

7. To configure routing to your Web App, click + Add a route. Fill in the required information on the "Add a route" page and click Add to include the route in the endpoint configuration.

7. 8. Click + Add a policy to apply a WAF policy to one or more domains in your Azure Front Door profile. Provide a unique name for the policy, select the domains you want to protect and choose either an existing WAF policy or create a new one. Finally, click Save to add the security policy to the endpoint configuration.

8. To deploy your Azure Front Door profile, click Review + Create, and then select Create. The configurations will take a few minutes to propagate to all edge locations.

Verify Azure Front Door:

It takes a few minutes for the Azure Front Door profile to be globally deployed. Once it's ready, you can access the frontend host by entering its endpoint hostname in a browser, such as Your request will be automatically directed to the nearest server in the origin group.

To test the instant global failover feature, follow these steps if you created the apps during this quickstart:

1. Enter the endpoint hostname in your browser (e.g., to access the frontend host.

2. In the Azure portal, click on App Services in the search bar. Find one of your Web Apps, like WebApp-Contoso-001, from the list.

3. To stop your web app, select it and then click Stop. Confirm by clicking Yes.

4. Reload the browser to see the information page again.

Tip: It might take some time for the traffic to switch to the second Web App, so you may need to reload the browser again.

5. To stop the second Web App, select it from the list and choose Stop. Confirm your action by clicking Yes.

6. Reload the web page, and you should see an error message after refreshing.

Create an Azure Front Door using Terraform        

Implement the Terraform code

1. Create a Directory: Create a new folder where you can test the sample Terraform code and set it as your current working directory.

2. Create the Files:

Create a file named and add the following code to it:

terraform {

required_version = >=1.0

required_providers {

azurerm = {

source = hashicorp/azurerm

version = ~>3.0


random = {

source = hashicorp/random

version = ~>3.0

} } }

provider azurerm {

features {}


Create a file named and insert the following code:

resource random_pet rg-name {

prefix = var.resource_group_name_prefix


resource azurerm_resource_group rg {

name =

location = var.resource_group_location


resource random_id front_door_endpoint_name {

byte_length = 8


locals {

front_door_profile_name = MyFrontDoor

front_door_endpoint_name = afd-${lower(random_id.front_door_endpoint_name.hex)}

front_door_origin_group_name = MyOriginGroup

front_door_origin_name = MyAppServiceOrigin

front_door_route_name = MyRoute


resource azurerm_cdn_frontdoor_profile my_front_door {

name = local.front_door_profile_name

resource_group_name =

sku_name = var.front_door_sku_name


resource azurerm_cdn_frontdoor_endpoint my_endpoint {

name = local.front_door_endpoint_name

cdn_frontdoor_profile_id =


resource azurerm_cdn_frontdoor_origin_group my_origin_group {

name = local.front_door_origin_group_name

cdn_frontdoor_profile_id =

session_affinity_enabled = true

load_balancing {

sample_size = 4

successful_samples_required = 3


health_probe {

path = /

request_type = HEAD

protocol = Https

interval_in_seconds = 100

} }

resource azurerm_cdn_frontdoor_origin" "my_app_service_origin {

name = local.front_door_origin_name

cdn_frontdoor_origin_group_id =

enabled = true

host_name =

http_port = 80

https_port = 443

origin_host_header =

priority = 1

weight = 1000

certificate_name_check_enabled = true


resource "azurerm_cdn_frontdoor_route" "my_route" {

name = local.front_door_route_name

cdn_frontdoor_endpoint_id =

cdn_frontdoor_origin_group_id =

cdn_frontdoor_origin_ids = []

supported_protocols = ["Http", "Https"]

patterns_to_match = ["/*"]

forwarding_protocol = "HttpsOnly"

link_to_default_domain = true

https_redirect_enabled = true


Create a file named and include the following code:

resource "random_id" "app_name" {

byte_length = 8


locals {

app_name = "myapp-${lower(random_id.app_name.hex)}"

app_service_plan_name = "AppServicePlan"


resource "azurerm_service_plan" "app_service_plan" {

name = local.app_service_plan_name

location = azurerm_resource_group.rg.location

resource_group_name =

sku_name = var.app_service_plan_sku_name

os_type = "Windows"

worker_count = var.app_service_plan_capacity


resource "azurerm_windows_web_app" "app" {

name = local.app_name

location = azurerm_resource_group.rg.location

resource_group_name =

service_plan_id =

https_only = true

site_config {

ftps_state = "Disabled"

minimum_tls_version = "1.2"

ip_restriction {

service_tag = "AzureFrontDoor.Backend"

ip_address = null

virtual_network_subnet_id = null

action = "Allow"

priority = 100

headers {

x_azure_fdid = [azurerm_cdn_frontdoor_profile.my_front_door.resource_guid]

x_fd_health_probe = []

x_forwarded_for = []

x_forwarded_host = []


name = "Allow traffic from Front Door"

} } }

Create a file named and put the following code in it:

variable "resource_group_location" {

type = string

description = "Location for all resources."

default = "eastus"


variable "resource_group_name_prefix" {

type = string

description = Prefix of the resource group name that's combined with a random ID so the name is unique in your Azure subscription.

default = "rg"


variable app_service_plan_sku_name {

type = string

description = The SKU for the plan. Possible values include: B1, B2, B3, D1, F1, I1, I2, I3, I1v2, I2v2, I3v2, I4v2, I5v2, I6v2, P1v2, P2v2, P3v2, P0v3, P1v3, P2v3, P3v3, P1mv3, P2mv3, P3mv3, P4mv3, P5mv3, S1, S2, S3, SHARED, EP1, EP2, EP3, WS1, WS2, WS3, Y1.

default = S1

validation {

condition = contains(["B1", "B2", "B3", "D1", "F1", "I1", "I2", "I3", "I1v2", "I2v2", "I3v2", "I4v2", "I5v2", "I6v2", "P1v2", "P2v2", "P3v2", "P0v3", "P1v3", "P2v3", "P3v3", "P1mv3", "P2mv3", "P3mv3", "P4mv3", "P5mv3", "S1", "S2", "S3", "SHARED", "EP1", "EP2", "EP3", "WS1", "WS2", "WS3", "Y1"], var.app_service_plan_sku_name)

error_message = The SKU value must be one of the following: B1, B2, B3, D1, F1, I1, I2, I3, I1v2, I2v2, I3v2, I4v2, I5v2, I6v2, P1v2, P2v2, P3v2, P0v3, P1v3, P2v3, P3v3, P1mv3, P2mv3, P3mv3, P4mv3, P5mv3, S1, S2, S3, SHARED, EP1, EP2, EP3, WS1, WS2, WS3, Y1.

} }

variable app_service_plan_capacity{

type = number

description = "The number of Workers (instances) to be allocated."

default = 1


variable front_door_sku_name {

type = string

description = The SKU for the Front Door profile. Possible values include Standard_AzureFrontDoor, Premium_AzureFrontDoor

default = "Standard_AzureFrontDoor"

validation {

condition = contains(["Standard_AzureFrontDoor", "Premium_AzureFrontDoor"], var.front_door_sku_name)

error_message = "The SKU value must be one of the following: Standard_AzureFrontDoor, Premium_AzureFrontDoor."

} }

Create a file named and enter the following code:

output "resource_group_name" {

value =


output "frontDoorEndpointHostName" {

value = azurerm_cdn_frontdoor_endpoint.my_endpoint.host_name


Initialize Terraform:

Execute the command terraform init to set up your Terraform deployment. This command will download the Azure provider needed to manage your Azure resources.

terraform init -upgrade

Create a Terraform Execution Plan:

Run the command terraform plan to generate an execution plan:

terraform plan -out main. tfplan

Apply the Terraform Execution Plan:

Execute the command terraform apply to implement the execution plan on your cloud infrastructure:

terraform apply main.tfplan

Verify the Results:

Retrieve the Front Door endpoint:

terraform output -raw frontDoorEndpointHostName

Paste it into your browser to check the results.


Ankit Ranjan (DevOps Engineer)的更多文章

  • What is Azure Pipelines?

    What is Azure Pipelines?

    Azure Pipelines Benefits of Azure Pipelines Azure Pipelines offers a fast, reliable, and secure way to automate the…

  • Installing Docker on Windows 11 using WSL 2: A Step-by-Step Guide

    Installing Docker on Windows 11 using WSL 2: A Step-by-Step Guide

    Docker has become a crucial tool for developers, enabling seamless and portable application deployment. Prerequisites…

  • Safeguard Your Azure Route Server with Azure DDoS Protection

    Safeguard Your Azure Route Server with Azure DDoS Protection

    This guide walks you through securing your Azure Route Server by integrating it with Azure DDoS Protection in a virtual…

  • Protect your public load balancer with Azure DDoS Protection

    Protect your public load balancer with Azure DDoS Protection

    Azure DDoS Protection provides advanced mitigation features like adaptive tuning, attack alert notifications, and…

  • Create a public load balancer with an IP-based backend

    Create a public load balancer with an IP-based backend

    This Edition will teach us how to create a public load balancer with an IP-based backend pool. Traditionally, an Azure…

  • Load Balancer and its Different Types

    Load Balancer and its Different Types

    Global Load Balancer The Azure Standard Load Balancer enables cross-region load balancing, providing geo-redundant high…

  • Inbound NAT Rule

    Inbound NAT Rule

    Inbound NAT rules enable connections to virtual machines (VMs) in an Azure virtual network using a public IP address…

  • Azure Availability Set

    Azure Availability Set

    As part of a high-availability deployment, virtual machines are typically organized into multiple availability sets to…

    8 条评论
  • Azure Load Balancer (Part-1)

    Azure Load Balancer (Part-1)

    Load balancing involves the efficient distribution of incoming network traffic across multiple backend servers or…

  • Virtual Network

    Virtual Network

    Create a virtual network using the Azure portal This quickstart guides you through creating a virtual network using the…

