Azure Front Door with App Service


Azure Front Door service was recently released.

Azure Front Door is an interesting service combining the capabilities of:

  • Reverse Proxy (SSL Termination, URL based routing, URL rewrite & session affinity)
  • Web Application Firewall (WAF)
  • Accelerated Global routing
  • Global Load Balancing between geo-distributed backend
  • Some bits of Content Delivery Network (CDN, in the form of caching requests)

The pricing model also is also interesting as it is based on consumption (per outbound data transfer) as opposed to compute unit as for appliances.

Azure Front Door is meant to route public traffic to public endpoints. It doesn’t integrate with Azure Virtual Networks.

In this article, I wanted to show how to connect it to a Web App deployed on an Azure App Service. For simplicity’s sake, we do not activate the WAF in here.

As usual, code is in GitHub.

Deployment

Here is the solution we are going to ground the conversation around:

Deployment

This is a typical reverse proxy use case.

We can easily deploy the solution:

Deploy button

The ARM template has 4 parameters:

Parameter Mandatory Description
frontDoorHostPrefix X The DNS prefix for the default front door domain name (in the diagram, that is the ‘X’ variable)
webAppName X The name of the web app, also DNS prefix for its default domain name (in the diagram, the ‘Y’ variable)
webAppSKU Sku of the web app (actually App Service): Free, Shared, Basic or Standard. Default to Standard because life is too short.
workerSize Size of the App Service: 0 (small), 1(medium), 2(large). Default to 0 because we won’t deploy a real web app.

As usual, to author the ARM template, we looked at the online documentation, reverse engineered a deployment made from the portal, checked out some Azure Quickstart Templates and use our imagination.

Blocking App Service

A typical concern in a reverse proxy scenario is to block traffic coming directly to the back-end service, in this case the Web App.

It is possible to do that. In the FAQ, we can find the CIDR for Front Door service:

  • IPv4 – 147.243.0.0/16
  • IPv6 – 2a01:111:2050::/44

So we can easily configure this in the Web App firewall.

Now it is important to note that this IP range is for all Front Door instances. Azure Front Door is a multi-tenant global service. So, we do not get an IP range for our instance of Front Door.

This means the rule we put in place discriminate against traffic coming for elsewhere than Azure Front Door (e.g. a browser) but not against traffic coming from another Azure Front Door instance.

If that is a concern, we would need to layer another access control. For instance, we could enforce authentication on the Web App (not done in this deployment).

Testing the deployment

Let’s test the deployment.

We can see there are three resources deployed by the ARM template:

Resource Group

(Yes, we are in the UK today)

The App Service Plan is akin to a server farm while the App Service is akin to an application running on that farm.

We can see the Front Door service isn’t in a specific region but is a global service (with a [%99.99 SLA](https://azure.microsoft.com/en-us/support/legal/sla/Front Door/v1_0/)).

Let’s open the Front Door resource.

Front Door

In the top-right corner we find a URL to the main front-end. If we browse on that URL we get the following page:

Front Door page

This is the App Service default page, since we didn’t deploy any code for the Web App.

It might take a few seconds for the service to be up and running.

Let’s now open the App Service resource.

App Service

We also have the URL of the web app in the top right corner. If we browse to that page though, we are denied access:

App Service page

This is because, as mentioned in the previous section, we blocked requests not coming from Azure Front Door.

HTTPs

Something that isn’t possible to do today is to easily redirect HTTP traffic to HTTPS.

What we did though is to enforce that the traffic between Front Door and App Service is always in HTTPS, regardless of the incoming request on Azure Front Door.

Summary

We looked at a simple deployment of Azure Front Door in front of Azure App Service.

This deployment allows us to front an App Service with Azure Front Door. That gives us the following possibilities:

  • Accelerate traffic
  • Implement WAF (not done in this article)
  • Add App Service deployments in multiple regions
  • Cache elements at Azure Front Door level, akin to a CDN

In future articles, we’ll dive deeper into the inner works of Azure Front Door and consider more complex scenarios.

Advertisements

3 thoughts on “Azure Front Door with App Service

  1. I’ve managed to do HTTP to HTTP redirection using a redirect rule.

    Accept protocol: HTTP only
    Route type: redirect
    Redirect protocol: HTTPS only

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s