| title | description | services | documentationcenter | author | ms.service | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Front Door - routing architecture | Microsoft Docs |
This article helps you understand the global view aspect of Front Door's architecture. |
front-door |
duongau |
frontdoor |
article |
na |
infrastructure-services |
01/27/2022 |
duau |
front-door-tiers |
Front Door traffic routing takes place over multiple stages. First, traffic is routed from the client to Front Door. Then, Front Door uses your configuration to determine the origin to send the traffic to. The Front Door web application firewall, routing rules, rules engine, and caching configuration all affect the routing process.
The following diagram illustrates the routing architecture:
::: zone pivot="front-door-standard-premium"
::: zone-end
::: zone pivot="front-door-classic"
::: zone-end
The rest of this article describes these steps in detail.
The user or client application initiates a connection to Front Door. The connection terminates at an edge location close to the user. Front Door's edge location processes the request.
For more information about how requests are made to Front Door, see Front Door traffic acceleration.
::: zone pivot="front-door-standard-premium"
When Front Door receives an HTTP request, it uses the request's Host header to match the request to the correct customer's Front Door profile. If the request is using a custom domain name, the domain name must be registered with Front Door to enable requests to get matched to your profile.
::: zone-end
::: zone pivot="front-door-classic"
When Front Door receives an HTTP request, it uses the request's Host header to match the request to the correct customer's Front Door instance. If the request is using a custom domain name, the domain name must be registered with Front Door to enable requests to get matched to your Front door.
::: zone-end
The client and server perform a TLS handshake using the TLS certificate you've configured for your custom domain name, or by using the Front Door certificate when the Host header ends with *.azurefd.net.
::: zone pivot="front-door-standard-premium"
If your domain has enabled the Web Application Firewall, WAF rules are evaluated.
::: zone-end
::: zone pivot="front-door-classic"
If your frontend has enabled the Web Application Firewall, WAF rules are evaluated.
::: zone-end
If a rule has been violated, Front Door returns an error to the client and the request processing stops.
::: zone pivot="front-door-standard-premium"
Front Door matches the request to a route. Learn more about the route matching process.
The route specifies the origin group that the request should be sent to.
::: zone-end
::: zone pivot="front-door-classic"
Front Door matches the request to a routing rule. Learn more about the route matching process.
The route specifies the backend pool that the request should be sent to.
::: zone-end
::: zone pivot="front-door-standard-premium"
If you have defined rule sets for the route, they're executed in the order they're configured. Rule sets can override the origin group specified in a route. Rule sets can also trigger a redirection response to the request instead of forwarding it to an origin.
::: zone-end
::: zone pivot="front-door-classic"
If you have defined rules engines for the route, they're executed in the order they're configured. Rules engines can override the backend pool specified in a routing rule. Rules engines can also trigger a redirection response to the request instead of forwarding it to a backend.
::: zone-end
::: zone pivot="front-door-standard-premium"
If the Front Door routing rule has caching enabled, and the Front Door edge location's cache includes a valid response for the request, then Front Door returns the cached response.
If caching is disabled or no response is available, the request is forwarded to the origin.
::: zone-end
::: zone pivot="front-door-classic"
If the Front Door routing rule has caching enabled, and the Front Door edge location's cache includes a valid response for the request, then Front Door returns the cached response.
If caching is disabled or no response is available, the request is forwarded to the backend.
::: zone-end
::: zone pivot="front-door-standard-premium"
Front Door selects an origin to use within the origin group. Origin selection is based on several factors, including:
- The health of each origin, which Front Door monitors by using health probes.
- The routing method for your origin group.
- Whether you have enabled session affinity
Finally, the request is forwarded to the origin.
::: zone-end
::: zone pivot="front-door-classic"
Front Door selects a backend to use within the backend pool. Backend selection is based on several factors, including:
- The health of each backend, which Front Door monitors by using health probes.
- The routing method for your backend pool.
- Whether you have enabled session affinity
Finally, the request is forwarded to the backend.
::: zone-end
::: zone pivot="front-door-standard-premium"
- Learn how to create a Front Door profile.
::: zone-end
::: zone pivot="front-door-classic"
- Learn how to create a Front Door.
::: zone-end