Microsoft Azure

What is Azure Front Door?

In this post, I will discuss another surprise service announcement from Microsoft Ignite, Azure Front Door, answering what this thing is, and dealing with the fear of “version 1.0”.

Performance and Redirection Options

We have no shortage of network performance, load balancing and redirection options in Microsoft Azure:

  • Load Balancer: If you wish to present a number of virtual machines as a single public or private IP address to other services or clients, then either the Basic (free) or Standard tier load balancers can be used to load balance TCP or UDP traffic.
  • (Web) Application Gateway (WAG): Layer 7 load balancing for HTTP or HTTPS services is possible using this instance-based option.
  • Third-Party Network Virtualization Appliances: A variety of third party applications can be run in Linux appliances to offer load balancing from the likes of Kemp, Citrix, F5, and more.
  • Traffic Manager: This micro-payment service can abstract the public endpoints (IP address and DNS name) of Azure or external services, allowing you to use a CNAME DNS record that is load balanced, prioritized, or redirected (geography or performance) to the most suitable service host.
  • Content Delivery Network (CDN): Azure supports a native CDN, as well as Akamai and Verizon, to improve the delivery of static content.
  • Third-Party CDN: You can use the likes of Cloudflare or Incapsula as an external CDN, and they often provide additional services such as DDoS protection.

Microsoft decided that this wasn’t enough, so they have made Front Door available to us – note that wording! But before we discuss Front Door, let’s talk about the Microsoft WAN.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The Microsoft WAN

Microsoft believes that they operate the second largest private global dark fiber network in the world:

  • 100,000 miles of fiber cable
  • 54 Azure regions, with multiple data centers each (some still in construction)
  • 130+ edge sites

The Microsoft WAN, as shared at Microsoft Ignite [Image Credit: Microsoft]
The Microsoft WAN, as shared at Microsoft Ignite [Image Credit: Microsoft]
Once you get a packet onto this WAN, you have an extremely low latency connection between any two points. For example, if a client connects to Azure in California, they have a low latency connection all the way to Microsoft services in The Netherlands – the speed cannot be matched on the public Internet where there would be many hops and much higher latency.

Let’s say that you use a service such as CloudFlare or Azure’s Traffic Manager to present a web service to the world. Once a client hits your public frontend, it will be redirected across the public Internet to the public IP address (endpoint) of your website. If the client is in Sydney, Australia, and the service is hosted in India, then that introduces a lot of latency. Static content delivery will be enhanced, but other interactive services will suffer from latency.

What if we could enable the client to enter the Microsoft WAN closer to their location, and connect to the Azure-hosted service across that WAN?

Front Door

Microsoft developed Front Door 5 years ago to enhance the performance of interactive services such as Office 365 and Bing. Since then, this globally deployed service has been battle tested by millions, if not billions, of users. Front Door is not new – it’s newly available – making it an unusual “new” cloud service because it is already mature.

What does it do? Front Door is an entry point into the Microsoft WAN that is deployed in edge sites around the world. When you connect to a service that Front Door is enhancing, you enter the Microsoft WAN through the closest (AnyCast) edge site and, from there, you connect to the closest available (probe tested) instance or replica of the service via the Microsoft WAN.

What Front Door Offers

You can think of Front Door as global load balancing, but it is doing more by enhancing performance. High availability is added too; you can deploy multiple instances of your service around the world, which also enhances performance, but a health probe will remove an instance from service while it is deemed unresponsive.

You can configure many sites through Front Door. This is a service that Microsoft has been using for their own cloud services, so it is hugely scalable.

Additional services are also offered:

  • URL redirection
  • Session affinity
  • SSL termination
  • Security via customer WAF rules and DDoS protection
  • URL rewrite
  • IPv6 and HTTP/2 support


Front Door is a consumption-based service, meaning that you pay for what you use. The service is in Preview, so it is offering lower than normal prices, which we should expect to increase – double based on recent preview-to-general availability price changes. The preview pricing for outbound data transfer through Front Door works out roughly the same as the cost of regular outbound data transfer, which is OK.

It looks like that routing rules within Front Door will eventually have a charge – it is free today, but that free charge is on the price list. And notably, inbound data transfer does have an unwelcome charge – that’s the first occurrence of this that I have observed in Microsoft Azure and I hope that it is not a precedent.


I have not had a chance to test or deploy Front Door with a real-world scenario yet. But I like the concept. This is not a service for everyone, but I do have a few customers with large international services where the performance will be important, and Front Door will play a role, possibly in conjunction with other network enhancements such as the WAG. I’ll post more about Front Door when I have had a chance to test it out.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: