Azure Front Door – Best Practices, Configuration, Caching, and Logging
This document summarizes recommended practices, configuration steps, sample scripts, and links to official Microsoft documentation for deploying Azure Front Door.
1. Overview
Azure Front Door (AFD) is a scalable and secure entry point for fast delivery of your global web applications. It combines load balancing, intelligent routing, WAF, and application acceleration via caching.
References:
2. General Best Practices
2.1 Choose the Right Global Load Balancer
- Use Azure Front Door for TLS termination, advanced routing, application-layer security, caching/CDN, and acceleration.
- Use Azure Traffic Manager for DNS-based load balancing without HTTP(s) features.
- If combining, Front Door should sit in front of Traffic Manager for high-availability setups.
- Restrict direct origin access (block requests to app service/public IP except those routed via AFD).
More details:
Microsoft Best Practices
Well-Architected AFD Guide
3. Security & TLS
- Enable end-to-end TLS: Require HTTPS both between client→AFD and AFD→origin. Set TLS version to 1.2 or higher.
- Use custom domains and certificates managed in Azure Key Vault for automation.
- HTTP to HTTPS redirect: Enforce redirection using route rules.
- Enable Web Application Firewall (WAF): Protect against OWASP top threats and DDoS.
Example portal steps:
- Go to Front Door profile → “Frontend/domains” → Add custom domain.
- Under “Routing rules”, enable “Redirect HTTP to HTTPS”.
- Under “Security”, set minimum TLS version.
- Attach or create WAF policy.
Reference:
Microsoft AFD Security Best Practices
4. Caching Best Practices
- Set Cache-Control headers in app responses for precise expiration (do not rely on AFD’s 1-3 day default).
- Use short or disabled caching (Cache-Control: no-store) in non-prod; use longer TTLs for static assets in production.
- Purge cache via portal/API/CLI after content changes.
Sample: Azure CLI for purge
az network front-door purge-endpoint \
--resource-group <RG> \
--front-door-name <FDName> \
--content-paths "/images/*"
Reference:
How to Avoid Caching Woes with Microsoft Azure Front Door
5. Logging and Monitoring
- Enable diagnostic logs: Go to Azure Portal → Front Door → Diagnostic settings.
- Routes logs to Log Analytics, Storage, Event Hub.
- Log types: WAF logs, Front Door access logs (request/response, cache status, attacker IPs, geo, latency).
- Monitor metrics: Request/response count, cache hit ratio, health probe status, error codes.
Sample: Enable Diagnostic Logging via Azure CLI
az monitor diagnostic-settings create \
--resource <FrontDoorResourceId> \
--workspace <LogAnalyticsWorkspaceId> \
--logs '[{"category":"FrontdoorAccessLog","enabled":true},{"category":"FrontdoorWebApplicationFirewallLog","enabled":true}]'
6. Standard Practices/Architecture
- Prefer active-active multi-region deployments for high-availability.
- For scaling, design with stateless web services (minimize need for sticky sessions).
- Deploy and update via ARM/Bicep templates for repeatable, versioned infrastructure.
7. Example Step-by-Step: Minimal Setup
a. Create Front Door (Portal Steps)
- Create resource → Azure Front Door (Standard/Premium)
- Add frontend/domains: Provide custom domain, enable HTTPS.
- Add backend pools: Add web apps, VMs, or APIs as backends.
- Set “backend host type” accordingly.
- Secure origins; allow only AFD via Private Link or IP header rule.
- Create routing rules: Define matching paths and origin pools.
- Enable caching if needed.
- Enable diagnostic logging/WAF.
b. Sample ARM Snippet for Caching Rule
{
"properties": {
"cachingEnabled": true,
"cacheDuration": "P1D",
"queryParameters": "*"
}
}
(Add to routingRules properties in ARM template)
8. Additional References
9. Summary
- Use AFD in front for acceleration, security, and global scaling.
- Always secure origins; block direct traffic.
- Set explicit caching headers.
- Enable logs/diagnostics for visibility and tuning.
- Use ARM/Bicep for infra-as-code deployments.
- Reference Microsoft best practices regularly as features evolve.