Front Door + backend pool VMs on-prem and in Azure

Question

I have a customer wanting to use an IP address for a Frontdoor backend pool entry located on an on-premise machine via a VPN.

They would like to be able to run some virtual machines in on premises as part of a backend pool for an Azure Frontdoor. These machines will be running the same application software as on the Azure Virtual machines also part of the same backend pool, but as part of a software migration they would like to have them be part of the frontdoor backend pool. They will be connected to a virtual network in azure via an IPSec IKE S2S VPN Tunnel.

I understand that AFD supports both Azure and non-Azure resources in the backend pool and this can be done only using public IP addresses via custom host: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-backend-pool#backends

But I cannot find information regarding backend pool VMs being split between on-prem and in Azure. Is this combination possible?if so, how can it be achieved?

Thanks in advance,
Almudena

Answer 1

This is possible in theory, but will have several limitations.

First. regarding Azure Front door:

You can put any Public IP here, which means you cannot directly point to the internal IP if your on-prem servers and have it direct over your VPN.

You can put another device in between, such as a Load Balancer, Application Gateway, or other NVA which can direct the traffic on-prem.

Before you start down that path, Azure Front Door is designed to be a global entry point. Even if you did have traffic go to Front Door -> Datacenter -> VPN -> On-Prem, it would have a LOT of unnecessary latency.

You can have on-prem backends exposed via an IP on-prem, and have Azure Front Door direct traffic to both Azure via the public ip and your on-prem via your ISP IP. This results in the lowest latency for each server.