Microsoft AZ-700: Design and Configure Azure Front Door

Reading Time: 4 minutes

Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 5: Design and Configure Azure Front Door

Front Door is MS modern cloud Content Delivery Network (CDN) providing fast, reliable, secure access between users and apps. Delivered using MS global edge network with hundreds of global/local POPs close to both enterprise network and consumer end users.

Orgs have apps to make available to customers, suppliers, users, etc. They must be highly available. Additionally they nee quick response and security. Front Door has many SKUs to achieve this.

Secure/Modern cloud CDN offers distributed platforms of servers. This minimizes latency. IT may desire to use CDN and web app FW to control HTTP/HTTPS traffic tx/rx target apps

  • Products available  (Table below from MS Learn)
  • Azure Front Door comparison
    • Offered in 2 tiers
      • Standard
      • Premium
    • Combine capability of Front Door (classic), CDN Standard from MS (classic) and Azure WAF into single secure cloud CDN with intelligent threat protection
    • Front Door exists in edge locations
    • Manages user requests for hosted apps
    • Users connect to app via MS Global Network
    • Routes requests to fastest/available app backend
    • MS Review the feature comparison table
  • Create a front door in Azure Portal
    • QuickStart
    • Can create through Quick Create via Custom Create allowing a more advanced config
  • Routing architecture
    • Front Door traffic routing has many stages
      • Routed from client to Front Door
      • Front Door uses config to determine origin to send traffic to
      • Front Door web app FW, routing rules, rules engine, caching config affect process
      • Diagram below from MS Learn outlines architecture
  • Front Door route rules config structure
    • Major parts
      • Incoming Match
        • HTTP Protocols (HTTP/HTTPS)
        • Hosts (ex www.something.com, *.something.com)
        • Paths (ex /, /users, /file.ext)
      • Route Data
        • Front Door speeds up processing using caching
        • If enabled for route – uses cached response
        • If no cached response – forwards to appropriate backend in configed pool
      • Route Matching
        • Front door attempts to match most-specific match first. Alg matches first on HTTP then Frontend host, then Path
          • Frontend host
            • Look for any routing with exact match on host
            • If none, reject and send 400 Bad Request error
          • Path Match
            • Look for routing rule with exact match to path
            • If none, look for routing rule with wildcard path matching
            • If none of above reject with 400 Bad Request error
    • If no routing rules for exact-match frontend with catch-all route Path (/*) then no match
    • Front Door redirects traffic at
      • Protocol
      • Hostname
      • Path
      • Query String
    • Above can be configured for individual microservice
  • Redirection types
    • Sets response status code for clients
    • Types supported (Table below from MS Learn)
  • Redirection protocol
    • Set protocol used for redirection – most common is set HTTP to HTTPS
    • HTTPS Only
      • Set protocol to HTTPS only – if looking to redirect HTTP to HTTPS.
      • Azure Front Door recommends always set redirect to HTTPS only
    • HTTP Only
      • Incoming request redirect to HTTP.
      • Use only when desired to keep traffic HTTP that is not encrypted
    • Match request
      • Option keeps proto used
  • Destination Host
    • Configured redirect routing, one can also change hostname or domain.
    • Set field to change hostname in URL or preserve hostname.
  • Destination Path
    • When replacing path segment of URL is desired
    • Or preservce path value
  • Destination fragment
    • Dest Frag is portion of URL after #
    • Can set field to add fragment to redirect URL
  • Query string parameters
    • Replace query string parameter in redirect URL
    • Replace any existing query string from inbound request set to ‘Replace’ and then appropriate value
    • Or keep original set of strings by setting to Preserver
  • Configure rewrite policy
    • Frond Door supports URL rewrite using optional Custom Forwarding Path
    • Host header used in fowarded request as configured for selected backend
    • Read backend host header to learn what it does and how to configure
    • Powerful part of URL rewrite is custom forwarding path copies any part of inbound path matching wildcard path to forward
  • Configure health probes including custom HTTP response code
    • Frond Door sends synthetic HTTP/HTTPS requests to each backend
    • Uses responses to determine “best” backend to route to
    • Front door has many edges globally, probe volume may be high (25 reqs/min to 1200 reqs/min
    • Default is probe every 30 seconds backend probe should be ~ 200 req/min
  • Supported HTTP methods for health probes
    • HTTP or HTTPS
    • Same TCP port configured for routing client reqs, can’t be overridden
    • Front Door supports HTTP methods
      • GET
        • Retrieves entity info in request URI
      • HEAD
        • Identical to GET except server MUST NOT return message-body in response
        • For lower load is default
  • Health probe responses
    • (Table below from MS Learn)
    • Front Door uses three step process for health determination
      • Exclude disabled backends
      • Exclude backends with health probe errors
        • Look at last n health probe. If x are healthy, backend is healthy
        • N configured by changing SampleSize preopery in lb settings
        • X configure by changing SuccessfulSamplesRequired property in lb settings
      • Health backends, Front Door additionally measure/maintains RTT for each backend
    • If single backend, choose disable health probes to reduce load.
  • Secure Front Door with TLS/SSL
    • Use HTTPS protocol to ensure sensitive data secure. When browser connects to website with HTTPS it validates website certificate and authority
    • Key attributes
      • No extra cost
      • Simple enablement
        • Provisioning via Azure Portal or REST API
      • Complete cert management
        • All cert procurement/management handled for you. Certs automatically provision/renew before expiry
    • Check Tutorial – Configure HTTPS on a custom domain for Azure Front Door | Microsoft Learn
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-and-configure-azure-front-door/

Leave a Reply

Your email address will not be published.