Welcome to Microsoft Q&A! Thanks for posting the question.
Firstly, apologies for the delayed response here.
3.While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a global service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit. Based on your scenario you could leverage Front Door, you may check key scenarios why one should use Application Gateway behind Front Door here: https://learn.microsoft.com/azure/frontdoor/front-door-faq
1 & 2
Just to highlight, Azure offers several ways to host websites: Azure App Service WebApps (PAAS solution), Virtual Machines (IAAS), Service Fabric, Azure Storage (for static website) and Azure Static Web Apps.
Kindly see Decision tree for Azure compute services. I’m not sure if you’re running this on VM, if you run the scan again does it show different results or comparable report (to previous scan)? I understand you have already connected with Qualys support on this issue. I have also checked the doc ‘Securing Microsoft Azure with Qualys’ for configuration details. AFAIK, the Configuration aspects for different Azure Services could be different for Qualys scan.
Note: This response contains a reference to a third-party World Wide Web site. I'm just providing this information as a convenience to you.
Kindly checkout this document for illustration -Integrated vulnerability scanner for virtual machines (standard tier only).
What prerequisites and permissions are required to install the Qualys extension?
You'll need write permissions for any VM on which you want to deploy the extension.
The Azure Security Center Vulnerability Assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So, it runs as Local Host on Windows, and Root on Linux.
During setup, Security Center checks to ensure that the VM can communicate with Qualys's cloud service on the following two IP addresses (via port 443 - the default for HTTPS):
• 64.39.104.113
• 154.59.121.74
If you still need further assistance on this issue, I wish to engage with you offline for a much closer look, please send an email with subject line “Attn:Ajay” to AzCommunity[at]Microsoft[dot]com referencing this thread, Azure subscription ID, I will follow-up with you.