Service 28

Front Door & CDN

EdgeGlobal

Azure Front Door is a global, Layer 7 entry point that terminates connections at the edge near the user, routes to the healthiest and nearest origin over Microsoft's backbone, and caches static content at hundreds of points of presence. It combines global load balancing, a content delivery network, TLS, and a Web Application Firewall in one service.

It operates above the region. Application Gateway handles ingress inside a region; Front Door handles getting the user to the right region in the first place and serving cached content from the edge. For a multi-region app or any site with global users and static assets, it is the front of the whole architecture.

Global Anycast Entry

Front Door advertises anycast IPs, so a user connects to the nearest edge location automatically, and the long-haul hop to the origin travels Microsoft's backbone rather than the public internet. TLS is terminated at the edge, cutting handshake latency. This is the difference between a user in Sydney reaching a US origin directly and reaching a nearby edge that proxies efficiently to it.

Request Path — User to Origin Through the Edge

Userconnects to the nearest anycast edge

→

Front Door edgeTLS termination · cache hit served here · WAF

→

Originregional app over Microsoft's backbone — only on a cache miss

Cacheable responses are served from the edge without touching the origin; the rest travel the backbone to the nearest healthy region. The origin should accept traffic only from Front Door so the edge cannot be bypassed.

Caching and Content Delivery

Front Door caches cacheable responses at the edge, serving static content — images, scripts, downloads — without touching the origin. Caching rules and cache-control headers govern what is cached and for how long, and purging invalidates content on demand. Effective caching is the largest single lever on both origin load and user-perceived latency.

Edge Web Application Firewall

The WAF runs at the edge, blocking OWASP Top 10 attacks, bots, and volumetric layer-7 floods before they reach a region — protection applied globally at the entry point rather than per-region. Combined with rate limiting and geo-filtering, it is the outermost layer of a web app's defense.

Routing and Tiers

Origin groups hold the backends Front Door routes to, with health probes and priority or weighted routing for failover and load distribution. The Standard tier covers content delivery, routing, and a WAF with custom rules and rate limiting; the Premium tier adds the Microsoft-managed WAF rule sets, bot protection, and private-link connectivity to origins. Choose Premium where managed rules, bot protection, and private origins matter.

Front Door vs Traffic Manager vs Application Gateway

Front Door — Global Layer 7 with edge termination, caching, and WAF. Choose it for multi-region web apps and content delivery.

Traffic Manager — DNS-based global routing with no data-path proxying. Choose it for non-HTTP endpoints or when you only need DNS-level direction.

Application Gateway — Regional Layer 7 ingress inside a VNet. Choose it for single-region web ingress or as Front Door's regional origin.

Common Mistakes

Using Front Door as a regional ingress when Application Gateway belongs inside the VNet — Front Door is the global edge, not the regional load balancer.
Leaving caching effectively off (no cache rules, no cache-control) and serving every static asset from the origin.
Running the Standard tier when the workload needs the Premium managed WAF, bot protection, or private-link origins.
Forgetting to purge the cache after a deploy, so users keep getting stale assets.
Configuring origin groups without health probes, so failed origins keep receiving traffic.
Relying on Front Door's WAF while leaving origins openly reachable on the public internet, bypassing the edge entirely.

Best Practices

Use Front Door as the global entry for multi-region apps, with Application Gateway or App Service as the regional origin.
Cache static content aggressively with cache rules and cache-control headers, and purge on deploy.
Enable the Premium tier's managed WAF, bot protection, and private-link origins for public web apps.
Configure origin groups with health probes and priority or weighted routing for failover.
Lock origins down to accept traffic only from Front Door (via private link or service tags) so the edge cannot be bypassed.
Use geo-filtering and rate limiting at the edge for an outer layer of defense.

Comparable servicesAWS CloudFrontGCP Cloud CDN / Cloud Load Balancing

Knowledge Check

What does Front Door provide that Application Gateway does not?

Global edge entry — anycast routing, edge TLS termination, and CDN caching across points of presence
Layer 7 path and host URL routing, which only Front Door supports
A fully managed Web Application Firewall layer, a capability that Application Gateway entirely lacks
Operation inside a single regional virtual network

When is Traffic Manager the better choice than Front Door?

For non-HTTP endpoints or when only DNS-level routing is needed, with no data-path proxying
For caching static content at the edge points of presence sitting close to end users worldwide
For running a Web Application Firewall on the data path
For terminating inbound TLS connections near the user

What is the largest single lever on origin load and user latency with Front Door?

Effective edge caching of static content via cache rules and cache-control headers
Choosing the Standard pricing tier over the Premium tier for the profile's routing
Disabling health probes entirely to reduce origin overhead
Adding more origins to the backend origin group

You got correct