CloudWiki
Resource

Front Door

Microsoft Azure
Networking
Azure Front Door is a global, scalable, and secure service that provides load balancing, traffic routing, and application acceleration for web applications. It acts as a reverse proxy and distributes incoming traffic to multiple backend servers to improve the performance, availability, and security of web applications. Azure Front Door can be used to route traffic to different backend servers based on various criteria such as geographic location, latency, or URL path. It also provides built-in security features such as SSL termination, Web Application Firewall (WAF), and DDoS protection. Azure Front Door is built on top of the Azure global network, which enables it to provide low-latency, high-bandwidth connectivity to backend servers across the world. It also integrates with other Azure services such as Azure Web Apps, Azure Kubernetes Service (AKS), and Azure API Management, making it a versatile solution for modern web applications.‍
Terraform Name
terraform
azurerm_cdn_frontdoor_custom_domain
Config.
Costs
Best Practices
Blogs
Front Door
attributes:

The following arguments are supported:

  • name - (Required) The name which should be used for this Front Door Custom Domain. Possible values must be between 2 and 260 characters in length, must begin with a letter or number, end with a letter or number and contain only letters, numbers and hyphens. Changing this forces a new Front Door Custom Domain to be created.
  • cdn_frontdoor_profile_id - (Required) The ID of the Front Door Profile. Changing this forces a new Front Door Profile to be created.
  • host_name - (Required) The host name of the domain. The host_name field must be the FQDN of your domain(e.g. contoso.fabrikam.com). Changing this forces a new Front Door Custom Domain to be created.
  • dns_zone_id - (Optional) The ID of the Azure DNS Zone which should be used for this Front Door Custom Domain. If you are using Azure to host your DNS domains, you must delegate the domain provider's domain name system (DNS) to an Azure DNS Zone. For more information, see Delegate a domain to Azure DNS. Otherwise, if you're using your own domain provider to handle your DNS, you must validate the Front Door Custom Domain by creating the DNS TXT records manually.
  • tls - (Required) A tls block as defined below.

A tls block supports the following:

  • certificate_type - (Optional) Defines the source of the SSL certificate. Possible values include CustomerCertificate and ManagedCertificate. Defaults to ManagedCertificate.

NOTE:

It may take up to 15 minutes for the Front Door Service to validate the state and Domain ownership of the Custom Domain.

  • minimum_tls_version - (Optional) TLS protocol version that will be used for Https. Possible values include TLS10 and TLS12. Defaults to TLS12.
  • cdn_frontdoor_secret_id - (Optional) Resource ID of the Front Door Secret.

Associating resources with a
Front Door
Resources do not "belong" to a
Front Door
Rather, one or more Security Groups are associated to a resource.
Create
Front Door
via Terraform:
The following HCL manages a Front Door (standard/premium) Custom Domain
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-cdn-frontdoor"
 location = "West Europe"
}

resource "azurerm_dns_zone" "example" {
 name                = "sub-domain.domain.com"
 resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_cdn_frontdoor_profile" "example" {
 name                = "example-profile"
 resource_group_name = azurerm_resource_group.example.name
 sku_name            = "Standard_AzureFrontDoor"
}

resource "azurerm_cdn_frontdoor_custom_domain" "example" {
 name                     = "example-customDomain"
 cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.example.id
 dns_zone_id              = azurerm_dns_zone.example.id
 host_name                = "contoso.fabrikam.com"

 tls {
   certificate_type    = "ManagedCertificate"
   minimum_tls_version = "TLS12"
 }
}

Create
Front Door
via CLI:
Parameters:

az network front-door create --backend-address
                            --name
                            --resource-group
                            [--accepted-protocols]
                            [--backend-host-header]
                            [--disabled {false, true}]
                            [--enforce-certificate-name-check {Disabled, Enabled}]
                            [--forwarding-protocol {HttpOnly, HttpsOnly, MatchRequest}]
                            [--friendly-name]
                            [--frontend-host-name]
                            [--interval]
                            [--no-wait]
                            [--path]
                            [--patterns]
                            [--probeMethod {GET, HEAD}]
                            [--protocol {Http, Https}]
                            [--send-recv-timeout]
                            [--tags]

Example:

az network front-door create --name MyFrontDoor --resource-group MyResourceGroup --frontend-endpoints MyFrontendEndpoint --backend-pools MyBackendPool --routing-rules MyRoutingRule

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Front Door

Categorized by Availability, Security & Compliance and Cost

Medium
AMI (Amazon Machine Images) not in use
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
High
AWS Config configuration changes alarm
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Access allowed from VPN
Security & Compliance
No items found.
Low
Auto Scaling Group not in use
Other
No items found.
Low
CloudTrail changes alarm
Security & Compliance
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Connections towards DynamoDB should be via VPC endpoints
Security & Compliance
No items found.
Medium
Connections towards S3 should be via VPC endpoint
Security & Compliance
CCPA
Medium
Container in CrashLoopBackOff state
Availability
No items found.
Low
Cross peering connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Pod
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by ECS
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Pod
Security & Compliance
CISAWSF
Medium
DynamoDB tables not in use
AWS Cost Optimization
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
EBS snapshots not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
EBS volume not in use
AWS Cost Optimization
MAS
NIST4
AWS Well-Architected Framework
Low
EC2 large instance create alarm
Security & Compliance
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
EC2 should have a name set
Other
APRA
MAS
Critical
EC2 with Admin access (*:*)
Security & Compliance
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Low
EC2 with GPU capabilities
AWS Cost Optimization
No items found.
Medium
EC2 with high privileged policies
Security & Compliance
No items found.
Medium
ECS cluster delete alarm
Availability
No items found.
Critical
ECS task with Admin access (*:*)
Security & Compliance
CIS
Medium
ECS task with high privileged policies
Security & Compliance
No items found.
Critical
EKS cluster delete alarm
Availability
No items found.
Medium
ELB not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
ElastiCache cluster delete alarm
Availability
No items found.
Medium
Elastic IP not in use
AWS Cost Optimization
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Low
Ensure API Gateway has Content Encoding feature enabled
Other
MAS
NIST 800-53
NIST4
Medium
Ensure AWS Config is configured to include global resources
Security & Compliance
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure AWS EKS cluster has secrets encryption enabled
Security & Compliance
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure Amazon MQ broker instances are using desired instance types
Security & Compliance
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
Security & Compliance
APRA
CCPA
HITRUST
ISO 27001
MAS
Low
Ensure Amazon MQ brokers Log Exports feature is enabled
Security & Compliance
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Medium
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Amazon MQ brokers are using the active/standby deployment mode
Availability
CCPA
ISO 27001
NIST4
NIST 800-53
AWS Well-Architected Framework
Low
Ensure Amazon MQ brokers are using the latest engine version
Security & Compliance
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
Ensure Application Load Balancer (ALB) has access logging enabled
Security & Compliance
No items found.
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Security & Compliance
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Low
Ensure Auto-Tune feature is enabled in OpenSearch clusters
Other
No items found.
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
Security & Compliance
APRA
MAS
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Security & Compliance
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Security & Compliance
PCI-DSS
HIPAA
Medium
Ensure CloudFront has WAF attached
Security & Compliance
NIST 800-53
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFront web distributions are configured to compress objects (files) automatically
AWS Cost Optimization
GDPR
NIST4
Medium
Ensure CloudFront web distributions enforce field-level encryption
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
Security & Compliance
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail buckets are configured to use MFA
Security & Compliance
APRA
MAS
NIST4
GDPR
HIPAA
Medium
Ensure CloudTrail logs are encrypted at rest
Security & Compliance
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
High
Ensure CloudTrail trails have multi-region enabled
Security & Compliance
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail trails record global service events
Security & Compliance
APRA
PCI-DSS
GDPR
NIST4
MAS
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
Security & Compliance
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure Container liveness probe is configured
Availability
No items found.
Low
Ensure Container readiness probe is configured
Availability
No items found.
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
Security & Compliance
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations
Availability
NIST4
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
Security & Compliance
APRA
MAS
NIST4
Low
Ensure DocumentDB clusters have Log Exports feature enabled
Security & Compliance
APRA
Medium
Ensure DocumentDB database clusters have a minimum backup retention period
Other
NIST4
AWS Well-Architected Framework
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
Security & Compliance
GDPR
NIST4
NIST 800-53
HIPAA
MAS
High
Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Low
Ensure DynamoDB Tables are encrypted with customer managed key
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Medium
Ensure DynamoDB tables have point in time recovery enabled
Availability
SOC2
GDPR
HITRUST
NIST 800-53
NIST4
Medium
Ensure EBS snapshots are encrypted
Security & Compliance
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure EBS snapshots are not publicly accessible
Security & Compliance
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS volumes are encrypted
Security & Compliance
APRA
MAS
NIST4
CIS
ISO 27001
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1
AWS Cost Optimization
AWS Well-Architected Framework
Critical
Ensure EC2 AMIs are not publicly accessible
Security & Compliance
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EC2 instance uses an IAM profile
Security & Compliance
APRA
CISAWSF
MAS
NIST4
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Security & Compliance
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Medium
Ensure ECS task definition has memory limit
Availability
No items found.
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure EKS Private access is enabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure EKS Public access is disabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure EKS Public access is restricted to specific sources
Security & Compliance
ISO 27001
Low
Ensure EMR cluster archive log files to S3
Other
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure EMR cluster master nodes are not publicly accessible
Security & Compliance
No items found.
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Security & Compliance
HIPAA
GDPR
NIST4
APRA
HITRUST
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Security & Compliance
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Low
Ensure ElastiCache Redis clusters have automatic backup turned on
Availability
No items found.
Medium
Ensure Geo-Restriction is enabled within CloudFront distribution
Security & Compliance
GDPR
Medium
Ensure IAM Group has no inline policy
Security & Compliance
APRA
MAS
NIST4
FedRAMP
Medium
Ensure IAM Role has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Medium
Ensure IAM User has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
Security & Compliance
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Low
Ensure IAM password policy has expiration period
Security & Compliance
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Medium
Ensure IAM password policy prevents password reuse
Security & Compliance
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Medium
Ensure IAM password policy require at least one lowercase letter
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
We haven't write about
Front Door
yet.
View all blog posts ->
More from
Microsoft Azure
PostgreSQL
AKS
Cosmos DB
Cache for Redis
Queue Storage
Files
Data Lake Storage
Blob Storage
Function App
Front Door
Firewall Policy Rule Collection Group
Firewall Policy
Firewall
CDN Profile
Bot
App-Service Plan
SQL Server
SQL Database
Domain Service
User
Group
Role Definition
Active Directory
Disk Storage
Image
Storage Account
Snapshot
Network Interface
Network Security Group
Resource Group
Route Table
Subnet
Virtual Network
Virtual Machine