Azure Front Door is typically used to ensure that users can access web applications in the event of a regional outage, balance requests between instances and to support rate limiting. It works well with CDN. Azure Front Door focuses on global load balancing and site-acceleration and Azure CDN offers static content caching and acceleration. By bringing security with threat protection and advanced OWASP capabilities, Azure Front Door makes CDN a remarkable cloud-native solution.

By itself, Azure Front Door enables us to define, manage, and monitor global routing for our web traffic by optimizing the best performance and instant global failover for high availability. With Front Door, we can transform our global (multi-region) consumer and enterprise applications into robust, high-performance, and personalized modern applications, APIs, and content that reaches a global audience with Azure. Azure Front Door works at Layer 7 of HTTP/HTTPS layer and uses anycast protocol with split TCP and Microsoft’s global network for improving global connectivity.

If we are designing a microservice architecture that will be hosted in an Azure Kubernetes service cluster, and all its consumers are on the same virtual network, then those microservices can be exposed to the consumer apps via an Azure API management premier tier with virtual network connection. This would allow all the ingress access to the microservices to be restricted to a single private IP address and protected by mutual TLS authentication. It would also facilitate rate limiting of incoming microservice calls. In such a case, the use of Azure Front Door is not advisable. On the other hand, if we deploy multiple instances of Azure Web Applications across several regions, then we need to design an access solution that can balance requests across all instances and ensure business continuity in the face of regional outages, then an Azure Front Door is advisable.

Both Azure Traffic Manager and Azure Front Door can perform global load balancing of web traffic across Azure regions and regional load balancing can be performed by Azure Application Gateway with complimentary capabilities at global and regional level. However, Azure Front Door And Application Gateway can better monitor and secure web requests than just that provided by routing rules from Traffic Manager.

The WAF is one of the most critical pieces to manage the ingress traffic to the web applications. It implements the open source OWASP ModSecurity Core Rule Set which is a set of general attack detection rules. The CRS aims to protect the web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The top attack categories include SQL injection, Cross Site Scripting, Local file inclusion, Remote file inclusion, Code Injection, Httpoxy (http requests through a proxy), Shellshock, Shell injection, Session Fixation, Bot detection, and Error leakages. The most recent version released is 3.3.5 and includes security fixes, non-breaking changes, and other improvements. Many IaC providers offer only lower versions and the public cloud resource management itself lag the most recent versions. The OWASP 3.0 is good enough to cover almost all the top attack categories.