In November of 2022, we launched the zero downtime migration tool in public preview and received a lot of feedback and interest from our users. We truly appreciate your participation and input very much. We’re happy to announce the migration capability is now generally available with improvements in reliability and stability.
We’re also happy to announce the general availability of both Managed Identity for Azure Front Door retrieval of your own certificate from Azure Key Vault and upgrade your tier from standard to premium with this release. To migrate from classic to standard/premium, you need to enable Managed Identity as a required step if you’re using your own certification.
Migration from classic to standard/premium tier overview
- The migration completes in just three simple steps or five steps depending on if bring your own certificate is enabled with zero downtime.
- The migration takes a few minutes to complete depending on the complexity of the classic instance, such as number of domains, backend pools, routes, and other configurations.
- WAF policies and configurations associated with the classic instance can be copied to the new Front Door profile tier. Customers can also use an existing standard or premium WAF policy that matches the tier.
- Migration can be performed via portal and PowerShell Az.Cdn 3.1.0.
Major improvements from public preview to general availability
The following are major improvements in this release based on the preview feedback:
- We switched to an async model for the validation and preparation phase of migration. This reduces the failure rate of these two steps due to timeout and is helpful for classic instances with multiple resources, such as domains, routing rules, backend pool, etc. We have seen zero timeout for existing customers with this change.
- Enhanced the reliability of committing to migration by splitting batch requests into smaller chunks with zero failures for existing customers in the past months.
- Further stabilized the Creation, Read, Update and Delete (CRUD) operations on both Azure Front Door Standard/Premium and Web Application Firewall (WAF) resources post migration.
- There were bugs causing metrics to not show up in migrated profiles. These bugs have been addressed and we haven’t seen such cases for newly migrated resources in the past 2-3 months.
- We allow deleting a custom domain with Azure Front Door (classic) once the CNAME has been changed to Azure Front Door Standard/Premium endpoint.
- Released PowerShell Az.Cdn 3.1.0 to support Dev-Ops and batch migration.
Notable changes post migration
- DevOps: Azure Front Door Standard and Premium uses a different resource provider namespace Microsoft.Cdn, while Azure Front Door (classic) uses Microsoft.Network.
- Endpoint: The new Front Door endpoint gets generated with a hash value to prevent domain takeover, in the format of endpointname-hashvalue.z01.azurefd.net. The classic endpoint name will continue to work after migration. However, it is recommended to replace it with the newly created endpoint in Azure Front Door Standard and Premium.
- Diagnostic logs and metrics won’t be migrated because there are different log fields among classic and new tiers. It is recommended to enable log after migration.
- Azure Policy for WAF is not supported on Azure Front Door Standard/Premium yet.
Migration pricing assessment
Azure Front Door Standard and Premium and Azure Front Door Classic have different pricing models. When migrating from Azure Front Door (classic) to Standard or Premium, we recommend you do a cost analysis to understand the pricing differences between the tiers. Unlike the Classic SKU, each Azure Front Door Standard and Premium profile incurs an hourly base fee. The rate you're charged depends on the Azure Front Door SKU that you deploy. In most cases, Azure Front Door Standard and Premium have a lower total cost of ownership than Azure Front Door (classic). If you have a request-heavy workload, it's recommended to estimate the impact of the request meters of the new tiers. If you have multiple instances of Azure Front Door, it's recommended to estimate the impact of the base fee of the new tiers. You should migrate only the workloads you need and delete any Azure Front Door (classic) unused resources. You can find more information on Pricing - Front Door | Microsoft Azure and Azure Front Door Tiers Pricing Comparison.
Start migration now!
Azure Front Door Classic will remain operational for the time-being, but it is recommended for customers to migrate to the Azure Front Door Standard and Premium because these SKUs offer better reporting and diagnostic capabilities, enhanced rules engine with server variables, better Web Application Firewall (latest DRS rule set, Bot protection, Web Application Firewall Notebook using Sentinel for security investigation and monitoring, Microsoft Sentinel Analytics) and security capabilities (Private Link connectivity to your origin, subdomain takeover prevention), and many new upcoming features that you can benefit from. We encourage you to begin planning migration in the near future. One of the new upcoming features that is already in private preview is WebSocket. We will also share previews for some other highly requested features soon. If you are interested in trying out WebSocket or want to learn more about the upcoming features, please reach out to afdprivatepreview@microsoft.com or your sales representatives.
For more details on Migration, please read the following articles.
About Azure Front Door (classic) to Standard/Premium tier migration
Mapping between Azure Front Door (classic) and Standard/Premium tier
Migrate Azure Front Door (classic) to Standard/Premium tier using the Azure portal
Azure Front Door tiers pricing comparison
Migrate Azure Front Door (classic) to Standard/Premium tier with Azure PowerShell