DDoS protection on Front Door
Azure Front Door is a Content Delivery Network (CDN) that can help you protect your origins from HTTP(S) DDoS attacks by distributing the traffic across its 192 edge POPs worldwide. These POPs uses our large private WAN to deliver your web applications and services faster and more securely to your end users. Azure Front Door also includes layer 3, 4, and 7 DDoS protection and a web application firewall (WAF) to help protect your applications from common exploits and vulnerabilities.
Infrastructure DDoS protection
Azure Front Door benefits from the default Azure infrastructure DDoS protection. This protection monitors and mitigates network layer attacks in real time by using the global scale and capacity of Front Door’s network. This protection has a proven track record in safeguarding Microsoft’s enterprise and consumer services from large-scale attacks.
Protocol blocking
Azure Front Door supports only the HTTP and HTTPS protocols, and requires a valid `Host`` header for each request. This behavior helps to prevent some common DDoS attack types such as volumetric attacks that use various protocols and ports, DNS amplification attacks, and TCP poisoning attacks.
Capacity absorption
Azure Front Door is a large-scale, globally distributed service. It serves many customers, including Microsoft’s own cloud products that handle hundreds of thousands of requests per second. Front Door is situated at the edge of Azure’s network, where it can intercept and geographically isolate large volume attacks. Therefore, Front Door can prevent malicious traffic from reaching beyond the edge of the Azure network.
Caching
You can use Front Door’s caching capabilities to protect your backends from large traffic volumes generated by an attack. Front Door edge nodes return cached resources and avoid forwarding them to your backend. Even short cache expiry times (seconds or minutes) on dynamic responses can significantly reduce the load on your backend services. For more information about caching concepts and patterns, see Caching considerations and Cache-aside pattern.
Web Application Firewall (WAF)
You can use Front Door's Web Application Firewall (WAF) to mitigate many different types of attacks:
- The managed rule set protects your application from many common attacks. For more information, see Managed rules.
- You can block or redirect traffic from outside or inside a specific geographic region to a static webpage. For more information, see Geo-filtering.
- You can block IP addresses and ranges that you identify as malicious. For more information, see IP restrictions.
- You can apply rate limiting to prevent IP addresses from calling your service too frequently. For more information, see Rate limiting.
- You can create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.
- The bot protection managed rule set protects your application from known bad bots. For more information, see Configuring bot protection.
Refer to Application DDoS protection for guidance on how to use Azure WAF to protect against DDoS attacks.
Protect virtual network origins
To protect your public IPs from DDoS attacks, enable Azure DDoS Protection on the origin virtual network. DDoS Protection customers receive extra benefits such as cost protection, SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate assistance during an attack.
Private Link
Enhance the security of your Azure-hosted origins by restricting their access to Azure Front Door through Azure Private Link. This feature enables a private network connection between Azure Front Door and your application servers, eliminating the need to expose your origins to the public internet.
Next steps
- Learn how to set up a WAF policy for Azure Front Door.
- Learn how to create an Azure Front Door profile.
- Learn how Azure Front Door works.