In this blog, I will go over the benefits of Azure Front Door and how you can utilize it with a Web Application Firewall to allow your applications to scale with solid security. I will follow up with another blog on deploying Azure Front Door using a Web Application Firewall with custom rules.
Azure Front Door is a modern content delivery network (CDN) service that delivers high performance and scalability and gives a secure user experience for your content and applications. It operates at Layer 7 (HTTP/HTTPS-based) of the networking stack and uses the Microsoft Global Edge network to accept traffic from end users. You can then associate Azure Front Door with a Web Application Firewall to enhance the security of your applications. One thing to note is that multiple ways of Load Balancing in Azure exist as the Azure Load Balancer will operate at Layer 4 of the networking model. The main difference here is that Layer 4 is the transport layer and Layer 7 is the application layer. Decisions that can be made at Layer 4 are most commonly around the TCP and UDP protocols. You will not be able to make decisions based on information at the application level.
Azure Front Door Architecture
Azure Front Door | Microsoft Learn
Web Application Firewall On Azure Front Door Architecture
What Is Azure Web Application Firewall On Azure Front Door? | Microsoft Learn
Before implementing Azure Front Door, you need to decide if you want to use the Classic, Standard, or Premium versions. You can find the differences below in this article.
Azure Front Door Tier Comparison | Microsoft Learn
Both Standard and the Premium versions of Azure Front Door contain several common features, including:
- Layer 7 routing
- SSL Offload
- Global load balancing
- URL rewrite
- Metrics and Diagnostics
- Custom Domains
Azure Front Door Premium contains the following extra benefits:
- Web Application Firewall (WAF) support
- Private link support
- Bot protection
The premium features of the Web Application Firewall and Private link support leverages you to have enhanced security for your Azure Front Door configuration. Adding both of these features to your Azure Front Door configuration will significantly improve security in your environment. One big thing to remember about the premium version of Azure Front Door is that it includes the Web Application Firewall (WAF), and if you were to use this with the classic version, you would have to pay an additional cost.
Benefits Of Using Azure Private Links
Azure Private Links will allow your organization to secure your origin and ensure that the service traffic between your virtual networks is traversed through the Microsoft’s backbone network, eliminating exposure to the public internet. When you first enable Private Link for Azure Front Door, it will create a private endpoint from an Azure Front Door managed regional private network. However, before any traffic can pass to the origin privately, you must approve the private endpoint connection. A private IP address will be assigned to the Azure Front Door, and no public IP address will be created. Before using Azure Private Links, I recommend reviewing the article below, which shows what Region it is available in.
Secure Your Origin with Private Link In Azure Front Door Premium | Microsoft Learn
Benefits Of Using the Azure Front Door Web Application Firewall (WAF)
I have provided below key features of using Azure Front Door WAF and you can find more information about these specific features by going to the link below.
Web Application Firewall on Azure Front Door | Microsoft Learn
- Managed rules
- Custom rules
- Exclusion lists
- Bot protection
- IP restriction
- Rate limiting
- Monitor and logging
By using the Web Application Firewall with your implementation of Azure Front Door, you will be able to protect your web applications by using custom and managed rules. When it comes to security and protecting your web applications from common vulnerabilities and exploits, setting up Azure-managed rules will provide an easy way to deploy protection against a common set of security threats, and if you use the Azure-managed rules, they are managed by Azure. The default rule set includes Microsofts’ Threat Intelligence Collection rules written in partnership with the Microsoft’s Intelligence team. However, if you want to use the managed rules, you will need to use the premium SKU version of Azure Front Door. As mentioned in this blog, I plan to do another blog with this specific implementation of using Azure Front Door Web Application Firewall with custom rules in a step-by-step fashion.
What Is the Difference Between Azure Web Application Firewall vs Azure Web Application Firewall Application Gateway?
The significant difference between the Web Application Firewall and the Application Gateway is that the Azure Front Door is a global service, whereas the Application Gateway is a regional service. Therefore, Azure Front Door can only perform path-based load balancing at the global level. Still, if you want to load balance traffic at the VM/container level, you will need to use the Web Application Gateway, as Azure Front Door doesn’t work at this level. Both the Web Application Gateway and Azure Front Door support session affinity, and to go further in-depth, the Azure Front Door can direct subsequent traffic from a user session to the same cluster or backend in a given region, and the Web Application Gateway can handle the traffic to the same server within the cluster. I recommend going through some of the frequently asked questions that Microsoft has seen for Azure Front Door, and I have provided that link below.
Azure Front Door – Frequently asked questions | Microsoft Learn
What About Azure Content Delivery Network (CDN)?
It comes down to your business needs, but since Azure Front Door standard and premium came out, it has become a game changer. In the classic version of Azure Front Door, you were charged per the ruleset you used, and Azure CDN was cheaper to use and performed well on content delivery for a more affordable price. Azure CDN has always been a solid solution for delivering static content like videos, images, and PDFs. In contrast, Azure Front Door is mainly used for providing sites, services, and APIs. Azure CDN has site acceleration, video streaming optimization, and image compression capabilities. Azure CDN will be an excellent solution for this configuration if you need to deliver videos to your global consumer base. Both solutions can provide you with a great experience, and there are situations where you could use both Azure CDN and Azure Front Door in your architecture.
In summary, using Azure Front Door with the Web Application Firewall (WAF) in your environment will allow you to distribute your applications globally, scale up your global application, protect your applications from attacks, and deliver high availability to your users wherever they are. It has been proven to be a fast, reliable, and secure solution for users to access your applications globally using Microsoft’s global edge network, with hundreds of global and local POPs distributed worldwide. I have provided the link below with all those locations.
Azure Front Door edge locations by region | Microsoft Learn
I look forward to doing a step-by-step deep-dive example of implementing Azure Front Door using a Web Application Firewall with custom rules in an upcoming blog. In the meantime, if you ever have questions about Azure Front Door, please reach out to us at XTIVIA.