I am new to Azure and couldnt find the below answer in Microsoft documentation so trying here, How does Azure Front Door resolve DNS or resolve IP as its Global Edge service. for an example if i have domain name xyz.com exposed through front door and if its being pinged from Europe Vs USA Vs Canada. I am dealing with some data privacy issues so dont want my Europe traffic to come to USA Front Door and then resolve it back to go to Europe.. any documentation related to this or any insight how does Frontdoor works internally. Would it matter where FrontDoor is being created first vs what all regions its being routing traffic. appreciate the time .

Hello @Katare, Ashish , I'm unable to share the internal architecture or workflow of Azure Frontdoor, however, below is the update I received from AFD PG team: Resolution for both DNS and HTTP (the portions in Microsoft’s control of both of those) route via Anycast which means they will resolve to the closest Microsoft Edge location as mentioned here . While this creates a very high likelihood at geo-regional traffic (e.g. Europe will resolve to European DNS and CDN servers), there is no strict guarantee around this. If you need 100% strict geo-isolation then it cannot be guaranteed by Front Door (or any other CDN for that matter) today. We have a roadmap feature to support this but it is not short term. One workaround that I can think of at the moment would be to use Azure Traffic Manager (Since you can use Geographic traffic routing method in Traffic manager to comply with local data sovereignty mandates which require that users from a specific region be served only by endpoints in that region) and Azure Front Door parallelly to serve all traffic for your application as described in the below article: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite#building-with-azures-application-delivery-suite Kindly let us know if the above helps or you need further assistance on this issue. ---------------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Azure FrontDoor DNS resolution

Accepted answer

GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2021-04-20T13:12:15.86+00:00

Hello @Katare, Ashish ,

I'm unable to share the internal architecture or workflow of Azure Frontdoor, however, below is the update I received from AFD PG team:

Resolution for both DNS and HTTP (the portions in Microsoft’s control of both of those) route via Anycast which means they will resolve to the closest Microsoft Edge location as mentioned here. While this creates a very high likelihood at geo-regional traffic (e.g. Europe will resolve to European DNS and CDN servers), there is no strict guarantee around this.

If you need 100% strict geo-isolation then it cannot be guaranteed by Front Door (or any other CDN for that matter) today. We have a roadmap feature to support this but it is not short term.

One workaround that I can think of at the moment would be to use Azure Traffic Manager (Since you can use Geographic traffic routing method in Traffic manager to comply with local data sovereignty mandates which require that users from a specific region be served only by endpoints in that region) and Azure Front Door parallelly to serve all traffic for your application as described in the below article:
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite#building-with-azures-application-delivery-suite

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Katare, Ashish 141 Reputation points

2021-04-21T21:23:59.217+00:00

thank you @GitaraniSharma-MSFT

one more clarification - Azure Front Door doesn’t support mutual TLS as per below,

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-i-use-client-mutual-authentication-with-azure-front-door-

how do i terminate SSL if i am using Azure Frontdoor itself so my subsequent layers save encryption/decryption time.
Any suggestions why dealing with SSL at frontdoor itself.

GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2021-04-22T15:55:21.89+00:00

Hello @Katare, Ashish ,

Yes, Azure Front Door doesn’t support mutual TLS auth as of today but it is in the roadmap. You can upvote the feature request in the below forum:
https://feedback.azure.com/forums/217313-networking/suggestions/37546810-frontdooor-tls-mutual-authentication-x-arr-cli

However, Azure Front Door supports TLS/SSL offload and end to end TLS, Since the connections to the backend happen over the public IP, it's recommended that you configure your Front Door to use HTTPS as the forwarding protocol.
You can configure SSL offload by following the below article:
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https

Thanks,
Gita Sharma

Katare, Ashish 141 Reputation points

2021-04-22T15:58:54.597+00:00

@GitaraniSharma-MSFT
thank you for your response.
we have APIM instances as a backend to this Azure FrontDoor through routing rules in frontdoor. is that okay if we configure the mutual authentication in APIM layer ?

GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2021-04-22T16:08:08.507+00:00

Hello @Katare, Ashish ,

Since Azure Front Door doesn't support Mutual Auth at the moment, keeping it in the data path with mutual auth in APIM layer will be a limiting factor. So I would advise against it.
In case you are not using Azure Front Door and are opting for Application gateway, then we do have a public preview of mutual auth feature available for app gateway to try. However, that may lead to another limitation for you depending upon your traffic & feature requirements.

Thanks,
Gita

Katare, Ashish 141 Reputation points

2021-04-22T16:12:17.2+00:00

@GitaraniSharma-MSFT
we are using Azure frontdoor something like below,

client -->frontdoor -->APIM -->Application gateway -->backend services.

where do you suggest us to implement mutual SSL and why ? i am thinking of offloading SSL in APIM layer

GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2021-04-22T16:34:20.493+00:00

@Katare, Ashish , is your question - where to implement SSL offloading or Mutual SSL auth?

Like I mentioned before, mutual SSL/TLS authentication feature is not available in Azure Front Door.

If you are referring to SSL offloading, you can do so at both Azure FrontDoor & Azure Application gateway depending upon your requirement. I'm not much familiar with APIM, so would not be able to provide much insights on it.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure FrontDoor DNS resolution

0 additional answers

Your answer