What is Azure Front Door?

Microsoft Azure cloud hero
In this post, I will discuss another surprise service announcement from Microsoft Ignite, Azure Front Door, answering what this thing is, and dealing with the fear of “version 1.0”.

Performance and Redirection Options

We have no shortage of network performance, load balancing and redirection options in Microsoft Azure:

  • Load Balancer: If you wish to present a number of virtual machines as a single public or private IP address to other services or clients, then either the Basic (free) or Standard tier load balancers can be used to load balance TCP or UDP traffic.
  • (Web) Application Gateway (WAG): Layer 7 load balancing for HTTP or HTTPS services is possible using this instance-based option.
  • Third-Party Network Virtualization Appliances: A variety of third party applications can be run in Linux appliances to offer load balancing from the likes of Kemp, Citrix, F5, and more.
  • Traffic Manager: This micro-payment service can abstract the public endpoints (IP address and DNS name) of Azure or external services, allowing you to use a CNAME DNS record that is load balanced, prioritized, or redirected (geography or performance) to the most suitable service host.
  • Content Delivery Network (CDN): Azure supports a native CDN, as well as Akamai and Verizon, to improve the delivery of static content.
  • Third-Party CDN: You can use the likes of Cloudflare or Incapsula as an external CDN, and they often provide additional services such as DDoS protection.

Microsoft decided that this wasn’t enough, so they have made Front Door available to us – note that wording! But before we discuss Front Door, let’s talk about the Microsoft WAN.

The Microsoft WAN

Microsoft believes that they operate the second largest private global dark fiber network in the world:

  • 100,000 miles of fiber cable
  • 54 Azure regions, with multiple data centers each (some still in construction)
  • 130+ edge sites

The Microsoft WAN, as shared at Microsoft Ignite [Image Credit: Microsoft]
The Microsoft WAN, as shared at Microsoft Ignite [Image Credit: Microsoft]
Once you get a packet onto this WAN, you have an extremely low latency connection between any two points. For example, if a client connects to Azure in California, they have a low latency connection all the way to Microsoft services in The Netherlands – the speed cannot be matched on the public Internet where there would be many hops and much higher latency.
Let’s say that you use a service such as CloudFlare or Azure’s Traffic Manager to present a web service to the world. Once a client hits your public frontend, it will be redirected across the public Internet to the public IP address (endpoint) of your website. If the client is in Sydney, Australia, and the service is hosted in India, then that introduces a lot of latency. Static content delivery will be enhanced, but other interactive services will suffer from latency.
What if we could enable the client to enter the Microsoft WAN closer to their location, and connect to the Azure-hosted service across that WAN?

Front Door

Microsoft developed Front Door 5 years ago to enhance the performance of interactive services such as Office 365 and Bing. Since then, this globally deployed service has been battle tested by millions, if not billions, of users. Front Door is not new – it’s newly available – making it an unusual “new” cloud service because it is already mature.
What does it do? Front Door is an entry point into the Microsoft WAN that is deployed in edge sites around the world. When you connect to a service that Front Door is enhancing, you enter the Microsoft WAN through the closest (AnyCast) edge site and, from there, you connect to the closest available (probe tested) instance or replica of the service via the Microsoft WAN.

What Front Door Offers

You can think of Front Door as global load balancing, but it is doing more by enhancing performance. High availability is added too; you can deploy multiple instances of your service around the world, which also enhances performance, but a health probe will remove an instance from service while it is deemed unresponsive.
You can configure many sites through Front Door. This is a service that Microsoft has been using for their own cloud services, so it is hugely scalable.
Additional services are also offered:

  • URL redirection
  • Session affinity
  • SSL termination
  • Security via customer WAF rules and DDoS protection
  • URL rewrite
  • IPv6 and HTTP/2 support


Front Door is a consumption-based service, meaning that you pay for what you use. The service is in Preview, so it is offering lower than normal prices, which we should expect to increase – double based on recent preview-to-general availability price changes. The preview pricing for outbound data transfer through Front Door works out roughly the same as the cost of regular outbound data transfer, which is OK.
It looks like that routing rules within Front Door will eventually have a charge – it is free today, but that free charge is on the price list. And notably, inbound data transfer does have an unwelcome charge – that’s the first occurrence of this that I have observed in Microsoft Azure and I hope that it is not a precedent.


I have not had a chance to test or deploy Front Door with a real-world scenario yet. But I like the concept. This is not a service for everyone, but I do have a few customers with large international services where the performance will be important, and Front Door will play a role, possibly in conjunction with other network enhancements such as the WAG. I’ll post more about Front Door when I have had a chance to test it out.

Related Article: