cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Can Azure Front Door serve private backends

Steve DiStefano
Microsoft

‎Nov 03 2021 10:20 AM

‎Nov 03 2021 10:20 AM

Can Azure Front Door serve private backends

Customer has deployed a Azure Landing Zone in West US and after much success, deployed a replica in several other GEOs (Canada, EMEA, AP, India) to serve the world.   So now they have 5 of them.

Each GEO has its own GEO specific set of Web URLs which point to http web apps:

  • contosoUS.application.com
  • contosoEU.application.com
  • contosoAU.application.com
  • …etc.

 

Each Landing Zone uses the same Hub and Spoke architecture (data sovereign) where each of the 5 Hubs includes F5 WAF appliances, which take ingress web access (routed via DNS CNAME to Traffic Manager to Load Balancer in front of the F5 WAFs) where the F5 WAF then performs the firewalling, SSL offload, and forwards to a private peered VNet in that GEO containing either:

  • AKS (Private cluster)
  • ASEV2 (ILB version)
  • SF Cluster FE nodes with private IP addressed front ends.

In the AFD docs, I see “Front Door backends refers to the host name or public IP of your application that serves your client requests. Backends shouldn't be confused with your database tier, storage tier, and so on. Backends should be viewed as the public endpoint for your application backend.”

 

So in this case, I don’t think I can propose replacing all 5 WAFs with a single AFD?   Is this the case?   I cant replace all 5 WAF clusters with one front door handling all 5 custom domains?

 

2,874 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Steve DiStefano (Microsoft)
Steve DiStefano

‎Nov 03 2021 01:19 PM

‎Nov 03 2021 01:19 PM

Solution

Re: Can Azure Front Door serve private backends

I received a email reply from the Product Group:
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-...

Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Steve DiStefano (Microsoft)
Steve DiStefano

‎Nov 03 2021 01:19 PM

‎Nov 03 2021 01:19 PM

Solution

Re: Can Azure Front Door serve private backends

I received a email reply from the Product Group:
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-...

Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link

View solution in original post

0 Likes
Reply