Edit

Using Azure Front Door to achieve geo-acceleration

  • Article

This article explains how to configure Microsoft Entra application proxy to work with Azure Front Door (AFD) to achieve reduce latency and better performance.

What is Azure Front Door?

Azure Front Door helps deliver low-latency, high-throughput content at scale from the cloud or on-premises infrastructure to users anywhere. Accelerate static and dynamic content delivery with a unified platform built on the massively scalable Microsoft private global network. For more information about Azure Front Door, see What is Azure Front Door?.

Deployment steps

This article guides you through the steps to securely expose a web application on the Internet, by integrating the Microsoft Entra application proxy with Azure Front Door. In this guide we'll be using the Microsoft Entra admin center. The reference architecture for this deployment is represented below.

Diagram of deployment described.

Prerequisites

  • A Front Door Service – Standard or Classic tier
  • Apps that exist in a single region.
  • A custom domain to use for the application.
  • For licensing information, Application Proxy is available through a Microsoft Entra ID P1 or P2 subscription. Refer here for a full listing of licensing options and features: Microsoft Entra pricing

Application Proxy Configuration

Follow these steps to configure Application Proxy for Front Door:

  1. Install connector for the location that your app instances will be in (For example US West). For the connector group assign the connector to the right region (For example North America).
  2. Set up your app instance with Application Proxy as follows:
    • Set the Internal URL to the address users access the app from the internal network, for example contoso.org
    • Set the External URL to the domain address you want the users to access the app from. For this you must configure a custom domain for our application here, for example, contoso.org. Reference: Custom domains in Microsoft Entra application proxy
    • Assign the application to the appropriate connector group (For example: North America)
    • Note down the URL generated by Application Proxy to access the application. For example, contoso.msappproxy.net
    • For the application configure a CNAME Entry in your DNS provider which points the external URL to the Front Door’s endpoint, for example ‘contoso.org’ to contoso.msappproxy.net
  3. In the Front Door service, utilize the URL generated for the app by Application Proxy as a backend for the backend pool. For example, contoso.msappproxy.net

Sample Application Proxy Configuration

The following table shows a sample Application Proxy configuration. The sample scenario uses the sample application domain www.contoso.org as the External URL.

Configuration Additional Information
Internal URL nam.contoso.com
External URL contoso.org Configure a custom domain for users to access the app from.
Connector group North America Select the connector group in the geo closest to where the app instance will be in for optimized performance.

Front Door Configuration

Azure Front Door is offered in different tiers including Standard, Premium and Classic. Select a tier based on the preference. For more information on tier comparison, refer here: Azure Front Door tier comparison

For Front Door Standard Tier The configuration steps that follow refer to the following definitions:

  • Endpoint name: A globally unique name for the endpoint. You can onboard custom domains as well. For example, front door endpoint name: contoso-nam that will generate the Endpoint host name contoso-nam.azurefd.net and utilize custom domain host name: contoso.org
  • Origin: Origins are your application servers. Front door will route your client requests to origins, based on the type, ports, priority, and weight you specify here
  • Origin Type: The type of resource you want to add. Front Door supports auto-discovery of your application backends from App Service, Cloud Service, or Storage. If you want a different resource in Azure or even a non-Azure backend, select Custom host. For example Custom host for have a backend of an Application Proxy service
  • Origin host name: This represents the backend origin host name. For example, contoso.msappproxy.net
  • Origin host header: This represented the host header value being sent to the backend for each request. For example, contoso.org. For more information refer here: Origins and origin groups – Azure Front Door

Follow these steps to configure the Front Door Service (Standard):

  1. Create a Front Door (Standard) with the configuration below:
    • Add an Endpoint name for generating the Front Door’s default domain i.e. azurefd.net. For example, contoso-nam that generated the Endpoint hostname contoso-nam.azurefd.net
    • Add an Origin Type for the type of backend resource. For example Custom here for the Application Proxy resource
    • Add an Origin host name to represent the backend host name. For example, contoso.msappproxy.net
    • Optional: Enable Caching for the routing rule for Front Door to cache your static content.
  2. Verify if the deployment is complete and the Front Door Service is ready
  3. To give your Front Door service a user-friendly domain host name URL, create a CNAME record with your DNS provider for your Application Proxy External URL that points to Front Door’s domain host name (generated by the Front Door service). For example, contoso.org points to contoso.azurefd.net Reference: How to add a custom domain - Azure Front Door
  4. As per the reference, on the Front Door Service Dashboard navigate to Front Door Manager and add a Domain with the Custom Hostname. For example, contoso.org
  5. Navigate to the Origin groups in the Front Door Service Dashboard, select the origin name and validate the Origin host header matches the domain of the backend. For example here the Origin host header should be: contoso.org
Configuration Additional Information
Endpoint Name • Endpoint name: contoso-nam
• Front door generated Hostname:
contoso-nam.azurefd.net
• Custom Domain Hostname: contoso.org		 A custom domain host name must be utilized here.
Origin hostname contoso.msappproxy.net The URL generated for the app by Application Proxy must be utilized here.
Connector group North America Select the connector group in the geo closest to where the app instance will be in for optimized performance.

Screenshot of Azure Front Door Configuration 1.

Screenshot of Azure Front Door Configuration 2.

Screenshot of Azure Front Door Configuration 3.

Next steps

To prevent false positives, learn how to Customize Web Application Firewall rules, configure Web Application Firewall exclusion lists, or Web Application Firewall custom rules.