Azure: Services & Architecture
by Sergey Okinchuk
VPN GatewayChapter 5: Security & Identity
Traffic Manager
Service 31

Traffic Manager

GlobalDNS

Traffic Manager is DNS-based global traffic routing. It answers DNS queries with the best endpoint for each client according to a routing method, directing users to a region before any connection is made. Because it works at the DNS layer, it never sees the traffic itself — it only decides which address the client resolves.

That DNS-level operation is the key distinction from Front Door. Traffic Manager does not terminate connections, cache, or inspect traffic; it routes by handing out IPs. It suits non-HTTP endpoints and scenarios where DNS-level direction is enough, while Front Door is the choice when you want edge termination, caching, and a WAF in the data path.

Routing Methods

Several routing methods decide which endpoint a query resolves to: priority (active-passive failover), weighted (split traffic by ratio), performance (lowest-latency region for the client), geographic (route by the user's location, often for compliance), multivalue (return several healthy endpoints), and subnet (map client IP ranges to endpoints). The method encodes the routing policy in DNS responses.

Endpoint Monitoring

Traffic Manager probes endpoint health and stops returning unhealthy endpoints, so failover happens by removing a bad address from DNS answers. This is health-aware DNS, not a load balancer — it influences which endpoint clients resolve, but the clients connect directly to that endpoint afterward.

DNS-Based Limits

Because routing is DNS, clients and resolvers cache the answer for the record's TTL, so failover is only as fast as that TTL allows — a low TTL speeds failover but increases query volume. And once a client has resolved an endpoint, it connects there directly; Traffic Manager cannot redirect an in-flight connection or balance individual requests. These are the inherent limits of routing at the DNS layer.

Traffic Manager vs Front Door

Traffic Manager — DNS-level global routing with no data-path proxying. Choose it for non-HTTP endpoints, or when DNS direction and health-based failover are enough.

Front Door — Edge-terminated Layer 7 with anycast routing, caching, and WAF in the data path. Choose it for HTTP apps needing edge performance and security.

Common Mistakes
  • Using Traffic Manager for an HTTP app that needs edge caching, TLS termination, or a WAF — that is Front Door's job.
  • Setting a long TTL and expecting fast failover — clients cache the DNS answer for the TTL before re-resolving.
  • Expecting Traffic Manager to redirect an in-flight connection or balance per request — it only influences DNS resolution.
  • Choosing the wrong routing method — for example, performance routing where geographic compliance routing was required.
  • Relying on it without endpoint health probes, so failed endpoints keep being handed out.
  • Forgetting that clients connect directly to the resolved endpoint, so the endpoint must be reachable and secured on its own.
Best Practices
  • Use Traffic Manager for non-HTTP endpoints or pure DNS-level global routing; use Front Door for HTTP apps needing the data path.
  • Choose the routing method for the goal — performance for latency, geographic for compliance, priority for failover, weighted for splits.
  • Set a TTL that balances failover speed against query volume.
  • Enable endpoint monitoring so unhealthy endpoints drop out of DNS answers.
  • Combine Traffic Manager with Front Door or regional load balancers when both DNS-level and data-path control are needed.
  • Secure each endpoint independently, since clients connect to it directly after resolving.
Comparable servicesAWS Route 53 (routing policies)GCP Cloud DNS routing policies

Knowledge Check

How does Traffic Manager route traffic?

  • At the DNS layer — it answers queries with the best endpoint's address; clients then connect directly
  • By terminating inbound client connections at the edge and then proxying each one through to the backend origins
  • By caching responses near the user at edge locations
  • By inspecting HTTP request headers along the data path

Why can DNS TTL slow Traffic Manager failover?

  • Clients and resolvers cache the resolved endpoint for the TTL before querying again
  • A long TTL value quietly disables the continuous endpoint health probes that run in the background
  • TTL controls the WAF security rule refresh interval
  • TTL caps the total number of configured endpoints

Which routing method enforces compliance by directing users based on their location?

  • Geographic routing
  • Performance routing
  • Weighted routing
  • Priority routing

You got correct