πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 3
Domain 3 β€” Module 4 of 5 80%
17 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 3: Application Delivery Services Premium ⏱ ~13 min read

Azure Front Door: Global Delivery

Master Azure Front Door for global HTTP load balancing β€” Standard vs Premium tiers, caching, Private Link origins, rules engine, and comparison with Application Gateway.

Azure Front Door: Global Delivery

Azure Front Door is a global Layer 7 load balancer with CDN, WAF, and acceleration built in. It uses Microsoft’s global edge network (200+ PoPs) to deliver content with the lowest latency.

🎬 Video coming soon

Azure Front Door Architecture

Azure Front Door Architecture

~13:00
β˜• Simple explanation

Front Door is your global receptionist β€” users worldwide connect to the nearest edge location (118+ globally), and Front Door routes their request to the best backend using Microsoft’s private backbone. It combines global load balancing, CDN caching, and WAF in one service.

Azure Front Door is a global Layer 7 application delivery network with HTTP/HTTPS load balancing, CDN caching, WAF, and traffic acceleration. Users connect to the nearest Microsoft PoP. Front Door routes over the private backbone to the best origin. Standard tier for CDN/basic WAF; Premium adds managed WAF rules and Private Link origins.

Front Door Tiers

Front Door Standard vs Premium
FeatureStandardPremium
CDN / CachingYesYes
Custom domains + TLSYesYes
WAF β€” Custom rulesYesYes
WAF β€” Managed rules (DRS)NoYes
WAF β€” Bot protectionNoYes
Private Link originsNoYes β€” connect to origins without public IPs
Enhanced analyticsBasic reportsAdvanced analytics + WAF logs
Origin health probesYesYes
Rules engineYesYes
DDoS protectionBuilt-inBuilt-in + enhanced

Exam Tip: The two Premium-only features the exam loves to test: managed WAF rules (DRS) and Private Link origins. If a question mentions connecting to a backend without a public IP through Front Door, the answer is Premium with Private Link.

Front Door Components

ComponentPurpose
EndpointThe Front Door hostname clients connect to (e.g., myapp.azurefd.net or custom domain)
RouteMaps incoming URL patterns to an origin group. Includes protocol, caching, and rule set configuration.
Origin groupA set of origins that serve the same content. Load balancing and health probes are configured here.
OriginThe actual backend β€” App Service, Storage, VM public IP, custom hostname. Each origin has a priority and weight.
Rule setRules engine for modifying requests/responses (redirects, header rewrites, URL rewrites).

Traffic flow:

Client β†’ Edge PoP β†’ Endpoint β†’ Route (matches URL pattern)
  β†’ Origin Group (selects healthiest/fastest origin)
    β†’ Origin (your backend server)

Caching and Acceleration

Front Door provides CDN capabilities built in:

  • Caching: Static content is cached at edge PoPs. Configure caching per route β€” cache based on query string, headers, or full URL.
  • Connection pooling: Front Door maintains persistent connections to origins, reducing latency.
  • Split TCP: Client connects to the nearest edge PoP (fast). Edge PoP connects to origin over optimised Microsoft backbone (fast). This dramatically reduces cold-start latency.

Private Link Origins (Premium Only)

☁️ Elena’s scenario: Skyline Logistics wants to use Front Door for global delivery but doesn’t want their origin servers to have public IP addresses.

With Private Link origins:

  1. Front Door Premium connects to the origin through a private endpoint
  2. The origin doesn’t need a public IP β€” no internet exposure
  3. Supported origins: App Service, Storage, Internal Load Balancer, any Private Link service

This is powerful for security β€” your backend is completely private, and Front Door is the only entry point.

ℹ️ Rules Engine β€” Customising Traffic

The rules engine lets you modify requests and responses as they pass through Front Door:

Common rules:

  • URL redirect: HTTP to HTTPS, www to non-www
  • URL rewrite: Change the URL path before forwarding to origin (e.g., /v2/api/* to /api/*)
  • Header modification: Add, remove, or overwrite request/response headers
  • Cache override: Force caching or bypass for specific paths
  • Route override: Send matching traffic to a different origin group

Conditions you can match:

  • URL path, query string, HTTP method
  • Request headers (Host, User-Agent, custom)
  • Client IP address, geo-location
  • Protocol (HTTP/HTTPS)

Rules are processed in order within a rule set. Multiple rule sets can be associated with a route.

Front Door vs Application Gateway

FeatureApplication GatewayAzure Front Door
ScopeRegionalGlobal (200+ edge PoPs)
CDN/CachingNoYes β€” built-in
WAFYes (regional)Yes (global edge)
Private Link originsNoYes (Premium)
LayerLayer 7 (HTTP/HTTPS)Layer 7 (HTTP/HTTPS)
Path routingYesYes
TLS terminationYesYes
WebSocketYesYes
Best forRegional web apps, internal appsGlobal web apps, CDN, global WAF
Common patternBackend for Front DoorFrontend global entry point

Common combination: Front Door (global entry) β†’ Application Gateway (regional, with WAF) β†’ Backend VMs. Front Door handles global distribution and caching, AG handles regional routing and additional WAF rules.

Key Takeaways

  • Front Door is global Layer 7; Application Gateway is regional Layer 7
  • Premium adds managed WAF rules, bot protection, and Private Link origins
  • CDN caching and split TCP acceleration are built in
  • Private Link origins keep backends completely private
  • Front Door + Application Gateway is a common enterprise pattern

Test Your Knowledge

Question

What are the two key Premium-only features in Front Door?

Click or press Enter to reveal answer

Answer

1. Managed WAF rules (Default Rule Set / DRS) and bot protection. 2. Private Link origins β€” connect to backends without public IPs through a private endpoint.

Click to flip back
Question

How does Front Door reduce latency with split TCP?

Click or press Enter to reveal answer

Answer

Client connects to the nearest edge PoP (short, fast connection). The PoP connects to the origin over Microsoft's optimised backbone (persistent, fast connection). The client doesn't need to traverse the full path to the origin.

Click to flip back
Question

What is a Private Link origin?

Click or press Enter to reveal answer

Answer

A Front Door Premium feature that connects to backend origins through a private endpoint. The origin doesn't need a public IP β€” Front Door is the only entry point. Supported for App Service, Storage, Internal LB, and Private Link services.

Click to flip back
Knowledge Check

Elena needs global CDN with WAF managed rules and backend servers that have no public IPs. Which Front Door tier does she need?
Knowledge Check

What is the typical enterprise pattern for using Front Door with Application Gateway?

Next up: Choosing the Right Load Balancer β€” The decision guide for picking between LB, Traffic Manager, Application Gateway, and Front Door.

← Previous

Application Gateway: Layer 7

Next β†’

Choosing the Right Load Balancer

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.