SOLVED

Can Azure Front Door serve private backends

%3CLINGO-SUB%20id%3D%22lingo-sub-2922426%22%20slang%3D%22en-US%22%3ECan%20Azure%20Front%20Door%20serve%20private%20backends%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2922426%22%20slang%3D%22en-US%22%3E%3CP%3ECustomer%20has%20deployed%20a%20Azure%20Landing%20Zone%20in%20West%20US%20and%20after%20much%20success%2C%20deployed%20a%20replica%20in%20several%20other%20GEOs%20(Canada%2C%20EMEA%2C%20AP%2C%20India)%20to%20serve%20the%20world.%26nbsp%3B%26nbsp%3B%20So%20now%20they%20have%205%20of%20them.%3C%2FP%3E%0A%3CP%3EEach%20GEO%20has%20its%20own%20GEO%20specific%20set%20of%20Web%20URLs%20which%20point%20to%20http%20web%20apps%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EcontosoUS.application.com%3C%2FLI%3E%0A%3CLI%3EcontosoEU.application.com%3C%2FLI%3E%0A%3CLI%3EcontosoAU.application.com%3C%2FLI%3E%0A%3CLI%3E%E2%80%A6etc.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEach%20Landing%20Zone%20uses%20the%20same%20Hub%20and%20Spoke%20architecture%20(data%20sovereign)%20where%20each%20of%20the%205%20Hubs%20includes%20F5%20WAF%20appliances%2C%20which%20take%20ingress%20web%20access%20(routed%20via%20DNS%20CNAME%20to%20Traffic%20Manager%20to%20Load%20Balancer%20in%20front%20of%20the%20F5%20WAFs)%20where%20the%20F5%20WAF%20then%20performs%20the%20firewalling%2C%20SSL%20offload%2C%20and%20forwards%20to%20a%20%3CU%3Eprivate%20peered%20VNet%3C%2FU%3E%26nbsp%3Bin%20that%20GEO%20containing%20either%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAKS%20(Private%20cluster)%3C%2FLI%3E%0A%3CLI%3EASEV2%20(ILB%20version)%3C%2FLI%3E%0A%3CLI%3ESF%20Cluster%20FE%20nodes%20with%20private%20IP%20addressed%20front%20ends.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20the%20AFD%20docs%2C%20I%20see%20%E2%80%9CFront%20Door%20backends%20refers%20to%20the%20host%20name%20or%20public%20IP%20of%20your%20application%20that%20serves%20your%20client%20requests.%20Backends%20shouldn't%20be%20confused%20with%20your%20database%20tier%2C%20storage%20tier%2C%20and%20so%20on.%20Backends%20should%20be%20viewed%20as%20the%20%3CSTRONG%3E%3CU%3Epublic%20endpoint%20for%20your%20application%20backend%3C%2FU%3E%3C%2FSTRONG%3E.%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20in%20this%20case%2C%20I%20don%E2%80%99t%20think%20I%20can%20propose%20replacing%20all%205%20WAFs%20with%20a%20single%20AFD%3F%26nbsp%3B%26nbsp%3B%20Is%20this%20the%20case%3F%26nbsp%3B%26nbsp%3B%20I%20cant%20replace%20all%205%20WAF%20clusters%20with%20one%20front%20door%20handling%20all%205%20custom%20domains%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2923389%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Azure%20Front%20Door%20serve%20private%20backends%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2923389%22%20slang%3D%22en-US%22%3EI%20received%20a%20email%20reply%20from%20the%20Product%20Group%3A%3CBR%20%2F%3E%3CSNIP%3E%20%3CBR%20%2F%3ENo%2C%20you%20SHOULD%20consider%20replacing%205%20WAF%20with%20a%20central%20WAF%20on%20Front%20Door.%20The%20document%20essentially%20is%20saying%20that%20the%20backends%20of%20AFD%20should%20be%20on%20public%20IP%2C%20accessible%20by%20Front%20Door.%20The%20backend%20public%20IP%20can%20be%20locked%20down%20to%20talk%20to%20only%20Front%20Door%20and%20not%20directly%20accessible%20by%20customers%20from%20internet.%20Refer%20to%20documentation%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-%3C%2FA%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3EAdditionally%20with%20Front%20Door%20premium%20we%20also%20integrate%20with%20Private%20Link%2C%20and%20so%20if%20the%20backend%20LB%20exposes%20a%20private%20link%20then%20we%20can%20talk%20to%20it%20directly%20using%20private%20IP.%20This%20is%20currently%20in%20preview.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Fstandard-premium%2Fconcept-private-link%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Fstandard-premium%2Fconcept-private-link%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSNIP%3E%3C%2FLINGO-BODY%3E
Microsoft

Customer has deployed a Azure Landing Zone in West US and after much success, deployed a replica in several other GEOs (Canada, EMEA, AP, India) to serve the world.   So now they have 5 of them.

Each GEO has its own GEO specific set of Web URLs which point to http web apps:

  • contosoUS.application.com
  • contosoEU.application.com
  • contosoAU.application.com
  • …etc.

 

Each Landing Zone uses the same Hub and Spoke architecture (data sovereign) where each of the 5 Hubs includes F5 WAF appliances, which take ingress web access (routed via DNS CNAME to Traffic Manager to Load Balancer in front of the F5 WAFs) where the F5 WAF then performs the firewalling, SSL offload, and forwards to a private peered VNet in that GEO containing either:

  • AKS (Private cluster)
  • ASEV2 (ILB version)
  • SF Cluster FE nodes with private IP addressed front ends.

In the AFD docs, I see “Front Door backends refers to the host name or public IP of your application that serves your client requests. Backends shouldn't be confused with your database tier, storage tier, and so on. Backends should be viewed as the public endpoint for your application backend.”

 

So in this case, I don’t think I can propose replacing all 5 WAFs with a single AFD?   Is this the case?   I cant replace all 5 WAF clusters with one front door handling all 5 custom domains?

 

1 Reply
best response confirmed by Steve DiStefano (Microsoft)
Solution
I received a email reply from the Product Group:
<SNIP>
No, you SHOULD consider replacing 5 WAF with a central WAF on Front Door. The document essentially is saying that the backends of AFD should be on public IP, accessible by Front Door. The backend public IP can be locked down to talk to only Front Door and not directly accessible by customers from internet. Refer to documentation here - https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-...

Additionally with Front Door premium we also integrate with Private Link, and so if the backend LB exposes a private link then we can talk to it directly using private IP. This is currently in preview. https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link