Customer has deployed a Azure Landing Zone in West US and after much success, deployed a replica in several other GEOs (Canada, EMEA, AP, India) to serve the world. So now they have 5 of them.
Each GEO has its own GEO specific set of Web URLs which point to http web apps:
Each Landing Zone uses the same Hub and Spoke architecture (data sovereign) where each of the 5 Hubs includes F5 WAF appliances, which take ingress web access (routed via DNS CNAME to Traffic Manager to Load Balancer in front of the F5 WAFs) where the F5 WAF then performs the firewalling, SSL offload, and forwards to a private peered VNet in that GEO containing either:
- AKS (Private cluster)
- ASEV2 (ILB version)
- SF Cluster FE nodes with private IP addressed front ends.
In the AFD docs, I see “Front Door backends refers to the host name or public IP of your application that serves your client requests. Backends shouldn't be confused with your database tier, storage tier, and so on. Backends should be viewed as the public endpoint for your application backend.”
So in this case, I don’t think I can propose replacing all 5 WAFs with a single AFD? Is this the case? I cant replace all 5 WAF clusters with one front door handling all 5 custom domains?