DDoS protection on Front Door

By using Azure Front Door, you can protect your application from distributed denial of service (DDoS) attacks. Azure Front Door offers several features and characteristics that can block attackers from reaching your application and affecting its availability and performance.

Infrastructure DDoS protection

Azure Front Door benefits from the default Azure infrastructure DDoS protection. This protection monitors and mitigates network layer attacks in real time by using the global scale and capacity of Front Door’s network. This protection has a proven track record in safeguarding Microsoft’s enterprise and consumer services from large-scale attacks.

Protocol blocking

Azure Front Door supports only the HTTP and HTTPS protocols, and requires a valid `Host`` header for each request. This behavior helps to prevent some common DDoS attack types such as volumetric attacks that use various protocols and ports, DNS amplification attacks, and TCP poisoning attacks.

Capacity absorption

Azure Front Door is a large-scale, globally distributed service. It serves many customers, including Microsoft’s own cloud products that handle hundreds of thousands of requests per second. Front Door is situated at the edge of Azure’s network, where it can intercept and geographically isolate large volume attacks. Therefore, Front Door can prevent malicious traffic from reaching beyond the edge of the Azure network.


You can use Front Door’s caching capabilities to protect your backends from large traffic volumes generated by an attack. Front Door edge nodes return cached resources and avoid forwarding them to your backend. Even short cache expiry times (seconds or minutes) on dynamic responses can significantly reduce the load on your backend services. For more information about caching concepts and patterns, see Caching considerations and Cache-aside pattern.

Web Application Firewall (WAF)

You can use Front Door's Web Application Firewall (WAF) to mitigate many different types of attacks:

  • The managed rule set protects your application from many common attacks. For more information, see Managed rules.
  • You can block or redirect traffic from outside or inside a specific geographic region to a static webpage. For more information, see Geo-filtering.
  • You can block IP addresses and ranges that you identify as malicious. For more information, see IP restrictions.
  • You can apply rate limiting to prevent IP addresses from calling your service too frequently. For more information, see Rate limiting.
  • You can create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.
  • The bot protection managed rule set protects your application from known bad bots. For more information, see Configuring bot protection.

Refer to Application DDoS protection for guidance on how to use Azure WAF to protect against DDoS attacks.

Protect virtual network origins

To protect your public IPs from DDoS attacks, enable Azure DDoS Protection on the origin virtual network. DDoS Protection customers receive extra benefits such as cost protection, SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate assistance during an attack.

Next steps