Azure WAF and Front Door
Azure Front Door
Azure Front Door is a global, scalable entry point for your web applications. Think of it as a smart traffic cop sitting at the edge of Microsoft’s global network that routes users to the fastest, most available backend.
Key capabilities:
- Global load balancing — distributes traffic across regions, routing users to the nearest or healthiest backend
- SSL/TLS termination — handles HTTPS offloading at the edge, reducing backend load
- URL-based routing — routes
/api/*to one backend and/images/*to another - Caching — caches static content at edge locations (POPs) to reduce latency
- Health probes — automatically detects unhealthy backends and reroutes traffic
- Session affinity — sticky sessions to keep a user on the same backend
Front Door operates at Layer 7 (HTTP/HTTPS) and uses Microsoft’s global private WAN backbone, so traffic travels faster than the public internet.
Azure WAF (Web Application Firewall)
Azure WAF is a security layer that inspects and filters HTTP/S traffic to protect web apps from common exploits and vulnerabilities.
What it protects against:
- SQL injection
- Cross-site scripting (XSS)
- OWASP Top 10 threats
- Bot attacks and scraping
- Rate limiting / DDoS at Layer 7
- Custom rule-based threats (e.g. block specific IPs, countries, headers)
Two modes:
- Detection mode — logs threats but doesn’t block (good for tuning)
- Prevention mode — actively blocks malicious requests
How They Work Together
WAF is a feature/policy that runs on top of Front Door (and also on Application Gateway). You attach a WAF policy to your Front Door profile, and it inspects all incoming traffic before it reaches your backends.
User Request │ ▼┌─────────────────────────────┐│ Azure Front Door │ ← Global routing, caching, SSL termination│ ┌───────────────────────┐ ││ │ WAF Policy │ │ ← Inspect & filter malicious traffic│ └───────────────────────┘ │└─────────────────────────────┘ │ ▼Your Backend (App Service, AKS, VM, etc.)
Front Door Tiers
| Feature | Standard | Premium |
|---|---|---|
| CDN + load balancing | ✅ | ✅ |
| WAF | Basic rules only | ✅ Full (managed + custom rules) |
| Bot protection | ❌ | ✅ |
| Private Link to backends | ❌ | ✅ |
When to Use What
| Scenario | Use |
|---|---|
| Global traffic routing + failover | Front Door alone |
| Protect a single-region app | Application Gateway + WAF |
| Protect a global app | Front Door + WAF (Premium) |
| Edge caching + security | Front Door + WAF |
In short: Front Door gets traffic to the right place fast; WAF makes sure that traffic is safe.
Infra Cloud Solutions 