DDoS protection on Front Door

Azure Front Door has several features and characteristics that can help to prevent distributed denial of service (DDoS) attacks. These features can prevent attackers from reaching your application and affecting your application's availability and performance.

Infrastructure DDoS protection

Front Door is protected by the default Azure infrastructure DDoS protection. The full scale and capacity of Front Door's globally deployed network provides defense against common network layer attacks through always-on traffic monitoring and real-time mitigation. This infrastructure DDoS protection has a proven track record in protecting Microsoft's enterprise and consumer services from large-scale attacks.

Protocol blocking

Front Door only accepts traffic on the HTTP and HTTPS protocols, and will only process valid requests with a known Host header. This behavior helps to mitigate some common DDoS attack types including volumetric attacks that are spread across a range of protocols and ports, DNS amplification attacks, and TCP poisoning attacks.

Capacity absorption

Front Door is a large scaled, globally distributed service. We have many customers, including Microsoft's own large-scale cloud products that receive hundreds of thousands of requests each second. Front Door is located at the edge of Azure's network, absorbing and geographically isolating large volume attacks. This can prevent malicious traffic from going any further than the edge of the Azure network.

Caching

Front Door's caching capabilities can be used to protect backends from large traffic volumes generated by an attack. Cached resources will be returned from the Front Door edge nodes so they don't get forwarded to your backend. Even short cache expiry times (seconds or minutes) on dynamic responses can greatly reduce load on backend services. For more information about caching concepts and patterns, see Caching considerations and Cache-aside pattern.

Web Application Firewall (WAF)

Front Door's Web Application Firewall (WAF) can be used to mitigate many different types of attacks:

  • Using the managed rule set provides protection against many common attacks.
  • Traffic from outside a defined geographic region, or within a defined region, can be blocked or redirected to a static webpage. For more information, see Geo-filtering.
  • IP addresses and ranges that you identify as malicious can be blocked.
  • Rate limiting can be applied to prevent IP addresses from calling your service too frequently.
  • You can create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.

Protect VNet origins

Enable Azure DDoS Protection on the origin VNet to protect your public IPs against DDoS attacks. DDoS Protection customers receive extra benefits including cost protection, SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate help during an attack.

Next steps