Azure Front Door - capabilities and limitations
Updated: Aug 30, 2019
Azure Front Door (AFD) in combination with Web Application Firewall (WAF) provides amazing capabilities for application delivery and security.
AFD documentation is pretty good but I could not find concise "at-glance"/ "cheatsheet" doc for AFD and WAF that would list capabilities and limitations. I find those "at-glace" docs helpful when selecting which (and how) leverage Azure services in solution architectures Not finding one - created my own. Hope it will help others too.
Azure Front Door summary
Azure Front Door Service
Azure Front Door is globally distributed application delivery network which provides following capabilities:
Global failover for high availability.
Optimizing for best performance
Azure WAF (integrated with Front Door) provides following capabilities:
Protection from common threats such as SQL injection, cross-site scripting and other web exploits
Protection against denial-of-service attacks (based on client IP addresses, call rate, country code, and http parameters)
Supports both custom and managed (built-in) rules
Comparison of Azure load-balancing services
From the table below seems the closest related services are Azure Front Door and Application gateway.
If you look at AFD and AGW configuration you see the same "front host"-"routing-rule"-"back end" triplets.
Front Door routing
Application Gateway routing
Therefore the next table compares Azure Front Door vs Application Gateway in more details. Advantages of each service are highlighted.
Hope this is enough to provide initial design direction (e.g. if we need to expose App Service on vNet we better off with Application Gateway due to its native vNet Intergration capabilities, but if you want to deploy public service then Front Door rate limit and DDOS seems to win.)
Due to their complementary capabilities there are scenarios when Azure Front Door and Application Gateway should be used together. Microsoft provides a summary on the scenarios in “When should we deploy an Application Gateway behind Front Door?”
To put in a single sentence deploy Application Gateway behind Front Door when you need to load-balance locally within vNet.
Front Door Deployment Approach
At the moment it seems safer not to bundle too many applications into a single Front Door instance.
If we manage to hit the error below and it stays there for hours and days you it feels better to know that at least provisioning of other applications on other Front Door Instances is not affected.
Now that we have an idea where and how to use Azure Front Door lets take a closer look at some of the key capabilities.
Application layer security
A preconfigured set of rules against common top OWASP vulnerabilities is enabled by default.
Azure Front Door allows you to author custom web application firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and http parameters.
Additionally, Front Door also enables you to create rate limiting rules to battle malicious bot traffic.
For example of setting up rate limiting rule you can refer to post "Azure Front Door and Web Application Firewall - in 10 min"
When firewall rule is activated and traffic is blocked you can nicely query history and details.
AzureDiagnostics | where TimeGenerated > ago(1h) | sort by TimeGenerated desc | where Category == 'FrontdoorWebApplicationFirewallLog' | project TimeGenerated, clientIP_s, ruleName_s, policy_s, action_s, host_s, requestUri_s
And allow request are also recorded as well
If you get 503 error from Azure FrontDoor there is not much info in Front Door diagnostics to help you determine the root cause. The actual error from back-end is simply not there. You see the same 503 error as you see on the screen.
And I already encountered scenarios when back end responds in postman but Front Door is still returning 503. Case opened with Microsoft to look into issue.
Azure Front Door at the moment (Aug 16, 2019) does not support self-signed certificates at the back-end. It also does not seem to allow download and use Front Door managed certificate to be used on back end either.
Summary: Currently all back-end used with Azure Front Door have to use proper signed certificates. Hopefully this changes soon.
You can vote for this feature here.
When setting the limit of concurrent request you need to take into account the total number of http requests required to load application page. Not just user-page-hits.
If single page load includes 10 http requests and your rate limit is set to 100/minute then Front Door will block you clients after about 10 accesses / minute.