Can you use Azure Front Door instead of an SD-WAN?

Take advantage of Microsoft's cloud app infrastructure to manage access to modern cloud-first applications.

Microsoft Build 2019: Azure, Microsoft Graph, IoT and IE mode highlights ZDNet's Mary Jo Foley handicaps Microsoft's vision to lead with its three core clouds: Azure, Microsoft 365 and gaming. Here's the plan and other goodies developers will get.

Cloud services like Azure are an ideal platform for hosting applications that need a wide reach. Their global scale and the ability to quickly replicate code and content between regions simplifies the process of deployment, while giving your applications increased resilience.

Internet applications have been built at scale for a long time now, and plenty of techniques have been developed to manage connections to them. Load balancers ensure that servers aren't overloaded, either routing connections to alternate local servers or to other sites. DNS round-robin techniques assign a single global IP address to services, sending traffic to servers based on IP address or purely at random, trusting load balancers to route packets appropriately. And web application firewalls protect sites from malformed or hostile traffic, updating as new attack patterns are detected.

The result is a complex layer of networking infrastructure between your code and your users — infrastructure that has separate configuration tools for each element, and different management tooling. This infrastructure needs careful tending to ensure it's up to date, with activities logged so that they can be analysed for signals of possible security breaches. Newer technologies like software-defined networking (SDN) don't help, either. Virtual networking appliances still need configuration, still need managing, and above all, still need monitoring.

Introducing Azure Front Door

Microsoft recently launched Azure Front Door as a way of reducing this complexity, bringing existing Azure tools and virtual appliances into a common framework. Front Door's mix of technologies brings together all the elements of a modern web application infrastructure, focusing on supporting microservices and other modern distributed application design patterns.

Setting up Front Door is easy enough. You need to have deployed your code as an Azure Web App in more than one Azure region. You can then create a Front Door for your application as an Azure networking resource, tied to your Azure subscription. It'll also need a valid domain name, to use as the frontend host for your application.

SEE: The industry cloud: Why it's next (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Once the frontend host is configured, you can start to configure the backend pool for your application. This is where you define your app instances, with the option of customising both health checks and load balancing settings. Next you add your first routing rule, which will take requests from your Front Door domain and forward them to apps in your backend pool.

azure-front-door-diagram.jpg

Azure Front Door delivers website acceleration, global load balancing, API fronting, SSL offload and web application firewall running at the edge of Microsoft's global network.

Image: Microsoft

One door to rule them all

The default rules always route you to the closest backend app, so you don't need to think about how to build and configure a global load balancer; it's the default for Front Door. Killing any of your backend apps will simply re-route traffic to another app instance as soon as a failure is detected. Front Door can be configured to route traffic based on different criteria: latency, priority, weighted, and session affinity.

If your code is stateful, you should use session affinity as it links all subsequent requests from the same source to the same backend. Latency uses network latency to route you to the instance that's nearest in terms of response time, while priority lets you set specific instances as primary, with others used as backups. Similarly, weighted routing allows you to define what proportion of traffic goes to which app instance.

Getting the price right

Front Door's pricing is complex, as befits a service that's a combination of existing Azure tooling. Some of the pricing is traffic-based, with billing a combination of inbound and outbound data and the number of routing rules built into your load balancing service. Outbound data is charged at a per-GB rate (with a minimum response size of 2KB), with a sliding scale that starts at $0.17/GB for the first 10GB. Things get more expensive if you're operating outside the core Azure regions, with Europe and North America cheaper than South America and India. All inbound data costs are the same wherever you are: $0.01/GB.

SEE: Microsoft Azure: An insider's guide (free PDF) (TechRepublic)

Routing rule costs are global, starting at $0.03/hour for the first five rules you use, with each additional rule coming in at $0.012/hour. To add more complexity to the mix, there are additional charges for the built-in web application firewall, with prices per unit, per custom rule per month, per managed ruleset per month, and per million requests processed by either rules or rulesets. The result is a complex matrix of charging models that need to be built into a spreadsheet in order to attempt to predict pricing.

Don't be too scared by the pricing: the various elements of Azure Front Door operate very differently, and it would be hard for Microsoft to build a unified pricing model for the necessary resources.

Front Door vs dedicated networks in business

It's not only external, consumer-facing applications that can take advantage of Azure Front Door. You can use it in conjunction with direct connections to Azure for your own internal applications, providing extra security and improved load balancing, either using the public internet or an ExpressRoute connection between your network and Azure's.

Controlling access to applications via Front Door reduces the cost and complexity of using WAN connections, even if you're using Software Defined-WAN (SD-WAN) to manage global connectivity. The combination of public internet and Front Door makes sense, especially if you want to give access to remote workers and to partner organisations. SD-WAN still has a place — it's how you link edge sites to your core, either in public clouds or on-premises data centers, where you have a lot of data in motion, and need a secure, private pipeline.

With the shift away from monolithic applications to microservices and APIs, tools like Front Door are going to become increasingly attractive for end user access. They're easy to configure, easy to manage, and are relatively low-cost. Companies like Microsoft are using them to support their own users, offering services to remote workers without requiring the expense of private connections or the overhead of VPNs. If you're deploying modern cloud-first applications and using Azure Front Door or similar services to manage access, then there's no need to use SD-WANs to connect branch offices, or to partner sites.

As important as it is for managing public services and consumer applications, Azure Front Door has a big role to play in business. After all, your users are consumers too.

Also See