DEV Community

iapilgrim
iapilgrim

Posted on

Phase 2 β€” Global Routing with Azure Front Door (Standard) Using Azure CLI

#azure #cli #networking #tutorial

In Phase 1, we deployed regional App Services.

In Phase 2, we elevate the architecture:

🌎 Add a global entry point
πŸ” Terminate TLS at the edge
πŸš€ Route traffic intelligently to regional backends

All using Azure CLI in Cloud Shell.

🧠 Architecture Goal

We want this flow:

User
  ↓
Azure Front Door (Global Edge)
  ↓
Origin Group
  ↓
App Service (SEA)
Enter fullscreen mode Exit fullscreen mode

More details

Even with a single region (quota constraints), this gives us:

  • Global Anycast entry
  • Edge TLS termination
  • Health-probe-based routing
  • Future-ready multi-region expansion

πŸ— Phase 2 Resources

Inside one Resource Group:

  • Azure Front Door Profile (Standard)
  • Endpoint
  • Origin Group
  • Origin (App Service)
  • Route
  • App Service (SEA region)

πŸš€ Step 1 β€” Create Front Door Profile 

RG=rg-afd-lab
PROFILE_NAME=afd-profile
ENDPOINT_NAME=afd-endpoint

az afd profile create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --sku Standard_AzureFrontDoor
Enter fullscreen mode Exit fullscreen mode

🌐 Step 2 β€” Create Endpoint 

az afd endpoint create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --enabled-state Enabled
Enter fullscreen mode Exit fullscreen mode

Get hostname:

az afd endpoint show \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --query hostName -o tsv
Enter fullscreen mode Exit fullscreen mode

You’ll get:

<endpoint>.z01.azurefd.net
Enter fullscreen mode Exit fullscreen mode

🎯 Step 3 β€” Create Origin Group 

ORIGIN_GROUP=app-origin-group

az afd origin-group create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP \
  --probe-request-type GET \
  --probe-protocol Https \
  --probe-path "/" \
  --probe-interval-in-seconds 30
Enter fullscreen mode Exit fullscreen mode

This enables health checks every 30 seconds on /.

πŸ–₯ Step 4 β€” Add App Service as Origin 

az afd origin create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP \
  --origin-name sea-origin \
  --host-name app-sea-3446.azurewebsites.net \
  --origin-host-header app-sea-3446.azurewebsites.net \
  --priority 1 \
  --weight 1000 \
  --enabled-state Enabled
Enter fullscreen mode Exit fullscreen mode

Important:

  • origin-host-header must match the App Service hostname
  • HTTPS certificate name check is enforced by default

πŸ›£ Step 5 β€” Create Route (Critical)

This is where many people hit issues.

⚠ In Standard SKU, you MUST link the route to a domain.

az afd route create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --route-name app-route \
  --origin-group $ORIGIN_GROUP \
  --supported-protocols Http Https \
  --patterns-to-match "/*" \
  --forwarding-protocol MatchRequest \
  --https-redirect Enabled \
  --link-to-default-domain Enabled
Enter fullscreen mode Exit fullscreen mode

If you omit:

--link-to-default-domain Enabled
Enter fullscreen mode Exit fullscreen mode

You’ll get:

(BadRequest) At least one domain is required for the route.
Enter fullscreen mode Exit fullscreen mode

πŸ§ͺ Step 6 β€” Validate Deployment

Check route:

az afd route list \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  -o table
Enter fullscreen mode Exit fullscreen mode

You want:

ProvisioningState = Succeeded
DeploymentStatus = Succeeded
Enter fullscreen mode Exit fullscreen mode

If you see:

DeploymentStatus = NotStarted
Enter fullscreen mode Exit fullscreen mode

Trigger activation:

curl https://<endpoint-hostname>
Enter fullscreen mode Exit fullscreen mode

Front Door deploys globally on first traffic.

If all succeed, we'll something like this

[ ~ ]$ curl -s  https://afd-endpoint-dxd8bebma8dbdsed.z01.azurefd.net

Hello from Southeast Asia
Enter fullscreen mode Exit fullscreen mode

πŸ” Troubleshooting 404 Errors

If you see:

404 Not Found
X-Cache: CONFIG_NOCACHE
Enter fullscreen mode Exit fullscreen mode

That means:

Route not fully deployed to edge yet.

It is NOT your backend.

Verify backend:

curl -I https://app-sea-3446.azurewebsites.net
Enter fullscreen mode Exit fullscreen mode

If backend returns 200, the issue is route activation.

If route gets stuck:

az afd route delete ...
az afd route create ...
Enter fullscreen mode Exit fullscreen mode

Recreating the route forces global redeployment.

πŸ“Š Health Probe Verification

Check origin group:

az afd origin-group show \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP
Enter fullscreen mode Exit fullscreen mode

You should see:

"probePath": "/",
"probeProtocol": "Https",
"provisioningState": "Succeeded"
Enter fullscreen mode Exit fullscreen mode

🧱 Final Working Architecture 

Internet
   ↓
Azure Front Door Edge (Anycast)
   ↓
Origin Group
   ↓
App Service (SEA)
Enter fullscreen mode Exit fullscreen mode

Even with one region, you now have:

  • Global entry point
  • Edge TLS termination
  • Health-probe routing
  • Production-ready structure
  • Multi-region expansion capability

🧠 What We Learned

Key lessons from Phase 2:

  1. Standard SKU requires domain linkage for routes
  2. DeploymentStatus = NotStarted means edge not activated
  3. CONFIG_NOCACHE 404 is configuration-level, not backend
  4. Route object triggers global edge deployment
  5. Health probes must succeed before activation

πŸš€ What’s Next (Phase 3)

In Phase 3 we can add:

  • πŸ” Web Application Firewall (WAF)
  • 🌍 Custom domain + managed TLS
  • πŸ“Š Azure Monitor diagnostics
  • πŸ” Active/Passive failover
  • 🌎 Multi-region scaling

Top comments (0)