← Back to Dashboard

Design 31: Global Web App (Front Door)

Summary

This design implements Azure Front Door as the global entry point for a multi-region application.

Topology: Front Door sits at the Edge (outside VNets). It routes traffic to App Gateways (Design 18) located in Spoke VNets in East US and West US.

1. Key Design Decisions (ADR)

ADR-01: Global Load Balancer

  • Decision: Use Azure Front Door Premium.
  • Rationale: Provides Global Load Balancing (Anycast), WAF, and Private Link to backend (optional).

ADR-02: Backend Routing

  • Decision: Route to Regional App Gateways.
  • Rationale: Front Door handles global routing; App Gateway handles regional ingress and VNet termination.

2. High-Level Design (HLD)

                                  INTERNET
                                     |
                                     v
                           +--------------------+
                           |  Azure Front Door  |
                           |  (Global WAF)      |
                           +---------+----------+
                                     |
                  /------------------+------------------\
                  |                                     |
                  v                                     v
        +------------------+                  +------------------+
        | Region A: East US|                  | Region B: West US|
        | (Active)         |                  | (Active)         |
        +------------------+                  +------------------+
        |   HUB VNet       |                  |   HUB VNet       |
        +------------------+                  +------------------+
                  |                                     |
        +------------------+                  +------------------+
        |  SPOKE VNet      |                  |  SPOKE VNet      |
        | [App Gateway]    |                  | [App Gateway]    |
        +------------------+                  +------------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub-east                                               |
| [VPN Gateway]                                                         |
+---------------|-------------------------------------------------------+
                | (Peering)
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke-east                                           |
|   +-----------------------+                                           |
|   | Subnet: AppGw         |                                           |
|   | [App Gateway]         | <----(Traffic from Front Door)            |
|   | (Public IP)           |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | Subnet: Backend       |                                           |
|   | [Web App / VM]        |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub-west                                               |
+---------------|-------------------------------------------------------+
                | (Peering)
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke-west                                           |
|   +-----------------------+                                           |
|   | [App Gateway]         |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | [Web App / VM]        |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • WAF: Front Door WAF protects at the edge (stops attacks before they hit your VNet).

5. Strategy: High Availability (HA)

  • Global: Front Door is globally distributed.
  • Regional: App Gateways are Zone Redundant.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Active-Active.
  • Process: Both regions serve traffic. If East US goes down, Front Door automatically routes 100% of traffic to West US (Health Probes fail).

7. Strategy: Backup

  • N/A.

8. Strategy: Security

  • ID-Based Access: Configure App Gateway to *only* accept traffic from the Front Door service tag (AzureFrontDoor.Backend).
  • Header Check: Check for X-Azure-FDID header to prevent bypassing Front Door.

9. Well-Architected Framework Analysis

  • Reliability: Excellent.
  • Security: High.
  • Cost Optimization: Medium. Premium is ~$330/mo.
  • Operational Excellence: High.
  • Performance Efficiency: Excellent. Uses Microsoft's global backbone.

10. Detailed Traffic Flow

1. User: www.contoso.com.

2. Edge: Request hits nearest Edge POP (e.g., London).

3. Front Door: Checks WAF. Determines fastest backend (East US).

4. Backbone: Traffic travels on MS Backbone to East US.

5. App Gateway: Receives request. Checks X-Azure-FDID.

6. Backend: Forwards to VM.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Deploy Regional Stacks (Prerequisite)

1. East US: Deploy an App Gateway (Standard_v2) with a Public IP.

* Public IP: pip-appgw-east (e.g., 1.2.3.4).

* Backend: A simple VM or Web App.

2. West US: Deploy a second App Gateway.

* Public IP: pip-appgw-west (e.g., 5.6.7.8).

* Backend: A simple VM or Web App.

Phase 2: Create Front Door Profile

1. Search: "Front Door and CDN profiles" -> + Create.

2. Select: Azure Front Door -> Quick create.

3. Basics:

* Resource Group: rg-global-frontdoor.

* Name: fd-global-corp-[uniqueid].

* Tier: Premium (Required for Private Link, but Standard is fine for Public IP backends). Select Standard for this lab.

* Endpoint Name: contoso-app.

* Origin Type: Public IP address.

* Origin Host Name: Select pip-appgw-east.

4. Create. (Takes 5 mins).

Phase 3: Add Second Origin (West US)

1. Go to Front Door Manager -> Origin groups -> default-origin-group.

2. + Add an origin.

3. Origin Type: Public IP address.

4. Host Name: Select pip-appgw-west.

5. Priority: 1. Weight: 1000.

6. Add.

7. Update.

* *Now Front Door balances between East and West.*

Phase 4: Secure App Gateway (Lockdown)

1. Go to East US App Gateway -> NSG (Network Security Group of the Subnet).

2. Inbound Security Rules -> + Add.

3. Allow Front Door:

* Source: Service Tag.

* Source tag: AzureFrontDoor.Backend.

* Destination: Any.

* Service: HTTPS (443).

* Action: Allow.

* Priority: 100.

4. Deny All Internet:

* Source: Any.

* Destination: Any.

* Service: HTTPS (443).

* Action: Deny.

* Priority: 200.

5. Repeat for West US NSG.

Phase 5: Verify

1. Browser: Go to https://contoso-app-[uniqueid].z01.azurefd.net.

* It should load the app.

2. Direct Access: Go to https://1.2.3.4 (App Gateway IP).

* It should Timeout or fail (Blocked by NSG).