Microsoft Azure — Azure CDN & Front Door
Azure CDN profiles, Front Door, caching rules, compression, geo-filtering, and origin groups..
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
- ✓Azure subscription, Azure CLI (version 2.40+), basic knowledge of networking (DNS, SSL/TLS), familiarity with ARM templates or Terraform, and a sample application to deploy (e.g., a static website or a simple API).
Azure CDN & Front Door is like having a specialized tool that handles cdn frontdoor in the Microsoft cloud — you manage the configuration, Azure handles the infrastructure.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers azure cdn & front door with production-ready configurations, best practices, and hands-on examples.
Why Azure CDN and Front Door Are Not Interchangeable
Many teams treat Azure CDN and Front Door as the same service because both accelerate content delivery. That's a mistake that leads to outages. Azure CDN is a content delivery network optimized for static assets: images, videos, JavaScript bundles. It caches at edge locations and reduces origin load. Front Door is a global load balancer and application accelerator. It handles dynamic requests, SSL termination, path-based routing, and Web Application Firewall (WAF) policies. Front Door can also cache, but its primary value is intelligent traffic routing across origins. Choosing the wrong one means either paying for features you don't need or missing critical capabilities like failover and DDoS protection. For example, using CDN for an API gateway will break session affinity and failover. Use CDN for static content, Front Door for applications.
Architecture: When to Use CDN, Front Door, or Both
A common production pattern is to place Front Door in front of your application and then use CDN for static assets served from blob storage. Front Door handles routing, SSL, WAF, and caching of dynamic responses. CDN offloads static content delivery from the application servers. For example, an e-commerce site: Front Door routes /api/ to App Service, /images/ to CDN backed by Blob Storage. This reduces origin load by 70% and improves cache hit ratios. Front Door also provides health probes and automatic failover between regions. CDN is simpler and cheaper for static content. If you only need global caching and don't need routing or WAF, use CDN. If you need anycast, path-based routing, or WAF, use Front Door. Both can coexist: Front Door can point to CDN as an origin for static content, but that adds latency. Better to let Front Door cache static content directly or use CDN as a separate endpoint.
Configuring Caching Rules: Purge, Compression, and Query Strings
Caching rules determine what gets cached and for how long. In Front Door, you can set cache duration per route. For CDN, you can configure caching rules at the endpoint or global level. Key settings: cache expiration (set to a reasonable TTL based on content volatility), query string caching (ignore, bypass, or include), and compression (enable gzip/brotli). A common mistake is caching everything with a long TTL, which causes stale content. For versioned assets (e.g., bundle.v1.js), use a long TTL (1 year). For HTML pages, use a short TTL (5 minutes) or no cache. Always enable compression to reduce bandwidth. Purge is critical when you need to invalidate cached content immediately. Use purge after deployments or content updates. In production, automate purges via CI/CD pipelines. For example, after a new release, purge the CDN endpoint for the changed files.
Health Probes and Failover: Avoiding Single Points of Failure
Front Door continuously monitors backend health using HTTP/HTTPS probes. You configure the probe path (e.g., /health), interval (default 30s), and failure threshold. If a backend fails health checks, Front Door routes traffic to healthy backends. This is essential for multi-region deployments. Common pitfalls: using a static page like /index.html as the health endpoint (it never fails), setting the probe interval too low (causes false positives), or not configuring a proper health check that validates dependencies (database, cache). In production, your health endpoint should return 200 only if the service is truly ready. Also, configure the backend pool with multiple origins and set priority/weight for active-passive or active-active failover. For CDN, health probes are not available; CDN relies on origin response status codes. If your origin returns 503, CDN may cache it. Use Front Door for critical failover scenarios.
Web Application Firewall (WAF) with Front Door
Front Door integrates with Azure WAF to protect against common web exploits like SQL injection, XSS, and DDoS. You can attach a WAF policy to a Front Door frontend endpoint or a routing rule. WAF policies consist of managed rule sets (e.g., OWASP 3.2) and custom rules. Managed rules provide baseline protection; custom rules allow you to block or allow specific IPs, geo-filter, or rate-limit. In production, start in detection mode to log violations without blocking, then switch to prevention after tuning. Common mistakes: enabling all managed rules without testing (causes false positives), not excluding false positives (e.g., blocking legitimate SQL queries), or not setting up rate limiting for APIs. Also, WAF logs are sent to Azure Monitor; enable diagnostic settings to capture them. For CDN, WAF is not available; use Front Door if you need WAF.
SSL/TLS Termination and Certificate Management
Both CDN and Front Door support SSL termination at the edge. You can bring your own certificate or use Azure-managed certificates. For production, use Azure-managed certificates for simplicity: they auto-renew and are free. However, if you need custom certificates (e.g., EV certificates), you can upload them to Azure Key Vault and reference them. Front Door supports multiple SSL certificates per frontend endpoint. A common issue is certificate validation failures due to mismatched hostnames. Ensure the certificate's CN or SAN matches the custom domain. Also, enable HTTPS-only traffic and set minimum TLS version to 1.2. For CDN, you can enable HTTPS on custom domains via Azure CDN's managed certificate or your own. In production, always enforce HTTPS and redirect HTTP to HTTPS. Use Front Door's redirect rule to achieve this.
Geo-Routing and Traffic Management with Front Door
Front Door supports geo-routing via routing rules and backend pools. You can direct traffic from specific countries to specific backends. For example, route EU traffic to a West Europe App Service and US traffic to East US. This reduces latency and can comply with data residency requirements. Geo-routing is configured using match conditions on the routing rule: you can match on country code. Additionally, you can use priority and weight to implement active-passive or active-active failover. In production, combine geo-routing with health probes: if the primary region fails, traffic fails over to the secondary region regardless of geography. A common mistake is not setting up a fallback backend for unmatched geographies. Always configure a default backend pool.
Monitoring, Logging, and Alerts
Monitoring CDN and Front Door is critical for production. Enable diagnostic settings to stream logs to Log Analytics, Storage, or Event Hubs. Key metrics: request count, latency, cache hit ratio, backend health, and error rates. For Front Door, monitor health probe status and backend response times. For CDN, monitor cache hit ratio and origin offload. Set up alerts for anomalies: e.g., sudden drop in cache hit ratio (indicates misconfiguration), increase in 5xx errors (origin issues), or backend health probe failures. Use Azure Monitor workbooks to create dashboards. A common oversight is not logging WAF blocked requests; enable WAF logs to detect attacks. Also, log purge operations to audit content invalidation. In production, set up alerts for backend health probe failures with a severity of 1 (critical).
Cost Optimization: Choosing the Right SKU and Caching Strategy
Azure CDN and Front Door have different pricing models. CDN Standard (Microsoft) is pay-as-you-go with no upfront cost. Front Door has a fixed monthly fee plus data transfer costs. For low-traffic sites, CDN is cheaper. For high-traffic with dynamic content, Front Door's fixed fee may be more cost-effective. Optimize costs by: using caching to reduce origin traffic (cache hit ratio > 90% is ideal), compressing responses, and choosing the right SKU. For CDN, Standard Microsoft is sufficient for most cases; Premium (Verizon) offers advanced analytics but costs more. For Front Door, the standard tier is adequate; premium adds private link support. Also, consider using Azure Storage static website with CDN for static content to reduce compute costs. In production, monitor bandwidth and request counts to right-size. Use Azure Cost Management to track spending.
CI/CD Integration: Automating Deployments and Purges
Integrate CDN and Front Door into your CI/CD pipeline to automate deployments and cache purges. Use Azure CLI or ARM templates to update Front Door routing rules, backend pools, and WAF policies. For CDN, automate purges after each deployment. Example pipeline: build, test, deploy to App Service, then purge CDN endpoints. Use Azure DevOps or GitHub Actions. Store configuration as code (ARM, Bicep, Terraform) to enable repeatable deployments. A common mistake is not purging after deployment, causing users to see old content. Also, use deployment slots with Front Door to enable blue-green deployments: swap slots and then purge. In production, automate everything to reduce human error.
Troubleshooting Common Issues: 503s, Cache Misses, and SSL Errors
Common issues with CDN and Front Door include 503 errors (origin unavailable), cache misses (low cache hit ratio), and SSL errors. For 503s, check backend health probes and origin response times. Ensure the origin is reachable from the edge. For cache misses, verify caching rules: are you caching the right content? Check cache headers from origin (Cache-Control, Expires). If origin sends no-cache, CDN won't cache. For SSL errors, check certificate validity and hostname match. Use tools like curl to test: curl -I https://yourdomain.com. Also, check Front Door logs for detailed error codes. A common pitfall is not enabling caching on the route in Front Door (cacheEnabled: false). In production, set up a dashboard with key metrics to quickly identify issues.
Production Checklist: Go-Live with CDN and Front Door
Before going live, run through this checklist: 1) Configure custom domains with HTTPS (Azure-managed certificates). 2) Set up WAF in detection mode initially. 3) Configure health probes with dependency checks. 4) Set caching rules per content type. 5) Enable diagnostic logs and set up alerts. 6) Test failover by stopping a backend. 7) Verify cache purge works. 8) Check geo-routing if used. 9) Review cost estimates. 10) Document the architecture. Common go-live failures: forgetting to enable HTTPS, not configuring health probes (causes routing to unhealthy backends), or not purging old content. Also, test with real traffic patterns using a staging environment. In production, always have a rollback plan: keep old configuration files and be ready to redeploy.
| File | Command / Code | Purpose |
|---|---|---|
| deploy-cdn.sh | az cdn profile create --name myCDNProfile --resource-group myRG --sku Standard_M... | Why Azure CDN and Front Door Are Not Interchangeable |
| main.tf | resource "azurerm_frontdoor" "main" { | Architecture |
| purge-cdn.ps1 | $resourceGroup = "myRG" | Configuring Caching Rules |
| health_check.py | from flask import Flask, jsonify | Health Probes and Failover |
| waf-policy.json | { | Web Application Firewall (WAF) with Front Door |
| enable-https.sh | az cdn custom-domain enable-https ` | SSL/TLS Termination and Certificate Management |
| geo-routing.json | { | Geo-Routing and Traffic Management with Front Door |
| enable-diagnostics.sh | az monitor diagnostic-settings create \ | Monitoring, Logging, and Alerts |
| estimate-costs.sh | echo "Estimated monthly cost: $35 (fixed) + $6 (data) + $10 (requests) = $51" | Cost Optimization |
| azure-pipelines.yml | trigger: | CI/CD Integration |
| troubleshoot.sh | curl -I https://origin.example.com/static/style.css | Troubleshooting Common Issues |
| checklist.md | - [ ] Custom domains configured with HTTPS (Azure-managed certs) | Production Checklist |
Key takeaways
Common mistakes to avoid
3 patternsNot planning cdn frontdoor properly before deployment
Ignoring Azure best practices for cdn frontdoor
Overlooking cost implications of cdn frontdoor
Interview Questions on This Topic
Explain Azure CDN & Front Door and its use cases.
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
That's Azure. Mark it forged?
6 min read · try the examples if you haven't