Azure WAF frontdoor vs Azure WAF application gateway

Raihan 6 Reputation points

What is the key difference between gateway and frontdoor. What are the some of the features are not available on gateway.

Why do I have to pay extra for frontdoor, what am I getting out of it. Is it worth it.

Can you provide some pricing difference.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
628 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,009 questions
0 comments No comments
{count} vote

5 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee

    Thank you for your post!

    Since I'm part of the Azure Security Center team and this looks like a networking issue, I've removed the "azure-security-center" tag and have reached out to our Networking team to look into this issue.

    In the meantime, I was able to do some research on this and will post my colleague's answer below.

    Azure Front Door WAF and Azure App Gateway WAF are very similar in functionality, one of the main differences is where the WAF is applied.

    Azure Front Door applies the WAF filters at edge locations, way before it gets to the datacenter. App Gateway applies the filter when it enters your VNET via the App Gateway.

    Your best bet is to choose between the 2 in an application delivery perspective, and then apply whichever WAF you choose.

    If what you are using is inside of a VNET and inside a single region, App Gateway will be your best bet. For a multi-regional deployment or global route filtering, use Azure Front Door.


    Additional Links:
    Application Gateway pricing
    Azure Front Door pricing
    How WAF features differ with Azure Front Door, Azure Application Gateway and Azure CDN.

    Please allow some time for our networking team to look into your issue and answer any questions I missed.
    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    5 people found this answer helpful.
    0 comments No comments

  2. SaiKishor-MSFT 17,221 Reputation points


    Adding to James's answer.

    While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a global service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.

    Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft's global network to improve global connectivity. Based on your routing method you can ensure that Front Door will route your client requests to the fastest and most available application backend. An application backend is any Internet-facing service hosted inside or outside of Azure. Front Door provides a range of traffic-routing methods and backend health monitoring options to suit different application needs and automatic failover scenarios. Similar to Traffic Manager, Front Door is resilient to failures, including failures to an entire Azure region.

    Hope this information helps. If you have anymore questions, please do let us know. Thank you!

    • Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
    3 people found this answer helpful.

  3. SaiKishor-MSFT 17,221 Reputation points

    Here are some differences based on their actions:

    • Front Door can perform path-based load balancing only at the global level but if one wants to load balance traffic even further within their virtual network (VNET) then they should use Application Gateway.
    • Front Door doesn't work at a VM/container level, so it cannot do Connection Draining. However, Application Gateway allows you to do Connection Draining.
    • Front Door and Application Gateway both support session affinity. While Front Door can direct subsequent traffic from a user session to the same cluster or backend in a given region, Application Gateway can direct affinitize the traffic to the same server within the cluster.
    • For Load balancers and Application gateway, Health probes are used to check the backend health and take the servers out of rotation when they are unhealthy.
      However, in AFD, heath probes are not only used for tracking the health of the backend and taking the unhealthy servers out of rotation but also to route the traffic to the server based on latency, priority and weights.
    • Unlike application gateway, you cannot configure custom probe status here. Only response with 200 OK will be accepted.

    Hope this helps. Please let me know if you have any more questions.

    1 person found this answer helpful.
    0 comments No comments

  4. suvasara-MSFT 10,036 Reputation points

    @RAIHANKHAN-2722, Here is the ref blog that points the differences in WAF features/offerings in AFD, APPGW and CDN.

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

  5. Liendo, Mauricio 0 Reputation points

    Hello! could you advise me? how is the best opcion for publish mi webapp

    1- Application Gateway behind Frontdoor with WAF only for Frontdoor

    2- Application Gateway behind Frontdoor with WAF for Frontdoor and Application Gateway

    3- Application Gateway behind Frontdoor with WAF only for Application Gateway

    Best regards

    0 comments No comments