During lockdown I tried out how Azure Front Door works. It is another member of Azure load balancers and traffic routers world but it is global and designed for web applications. My only interest was to see how it works and if it is just for commercial sites or does it also fit for private WordPress blogs like I have. It was interesting journey full of of surprises and here’s the overview of what I did and how things worked out.
What is Azure Front Door?
To understand what is Azure Front Door let’s jump to documentation. Azure Front Door enables you to define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reaches a global audience with Azure.
Azure Front Door is Layer 7 network service having the following nice features:
- SSL offload and application acceleration at the edge close to end users
- Global HTTP load balancing with instant failover
- Actionable insights about your users and back ends
- Web Application Firewall (WAF) and DDoS Protection
- Central control plane for traffic orchestration
Important thing to understand is the fact that Azure Front Door is not bound to any specific region. By example, Azure Front Door service can be used for high-availability across multiple Azure regions like shown on the following diagram.
Run a web application in multiple Azure regions for high availability.
One interesting thing is that Azure Front Door works similar to Azure CDN. It uses same Point-of-Presence (PoP) servers as Azure CDN meaning that your content will be close to visitors all over the world.
Hosting WordPress behind Azure Front Door
When it comes to hosting WordPress on Azure there are some options to consider.
- Azure App Service – together with Azure SQL for MySQL it can come pretty expensive. Still you have to understand that these services are stable and highly scalable. Azure engineers are the ones who keep those services alive and you don’t need any task force on your side.
- Virtual Machines – if you want to control almost everything and keep costs down then you can go with small Linux virtual machines on Azure. It means more work for you as virtual machines are your own responsibility. Also you are in judge on managing all other services around them.
Azure App Service with database is very straight-forward to understand if we are talking about getting things running. Virtual machines are different story. Here’s one possible idea how VM-s can be set up.
NginX serves as caching reverse proxy before WordPress machines. It’s the only VM that has unrestricted public access. All otger VM-s are no accessible from public internet. Blob storage and Azure CDN can be used for all static assets in wp-content folder to keep load away from small VM-s.
Our Azure Front Door and WAF cloud architecture for WordPress VM-s solution is shown on the following diagram.
Notice that there’s no more NginX and load balancing is done by Azure Front Door.
Setting up Azure Front Door
Load balancing with NginX is great but there’s one issue – it’s regional and not global. Setting up our own NginX to every region of Azure is out of question. It will be expensive and I’m sure that it needs close monitoring even after all pieces of puzzle start work together as one system. This is where Azure Front Door comes to help.
Azure Front Door service is set up with three steps:
- Frontend/domains – these are domains that later have CNAME record to Azure Front End end-point.
- Backend pools – pools on backend servers where requests are sent. It can be just one server but it can be also cluster of servers. For simple WordPress blog one backend pool is enough. I have one backend pool and two WordPress servers in pool.
- Routing rules – here you can decide which URL ends in which backend pool. When you create service then default rule is created automatically. You can add more rules later if needed.
I don’t go through all steps as they are documented very well by Microsoft. There are some things to consider when setting up the service.
- Custom domains are supported but you can add one after service is created for you. For custom domain you need also certificate. If you don’t have one you can let Azure Front Door set up one for you. If you have certificate in Azure Key Vault then you must add Azure Front Door service as a user of your key vault.
- Backend pool servers running WordPress doesn’t necessarily need caching plugins to be activated. If you need to use one then make sure that they share page cache. Otherwise your pages get easily out of sync. Making WordPress output caches share disk space is not easy thing to do and I finally gave up.
- Load balancing – if you don’t have previous experiences with load balancers then leave these settings as they are. These are good defaults for most of scenarios. Read carefully about healt probes later in this post to avoid some dark surprises.
- Caching – I enabled caching and made it ignore query strings. I can access backend pool machines directly and I don’t want requests from public space to be able to ask too much from server. Ignoring query strings helps avoid different attacks but be aware – purging of content is up to you.
- Allow Azure Front Door IP-s in your firewall if you are using virtual network. Just add IP range 126.96.36.199/16 to list of allowed IP-s to your firewall. Without this Azure Front Door cannot check for servers health and server content from backend pool.
When everything is set up and configured it’s time see the results.
As we can now push our content close to our visitors there are some visible benefits we will see pretty soon after Azure Front Door is in action. Take a look at the following global ping charts comparing situation before and after enabling Azure Front Door.
It’s rougly taken a 3.5 times improvement in ping times. So, depending where your WordPress site is geographically hosted, you just made a favor to your readers in all other regions in the world.
For mobile devices my blog PageSpeed Insights score went up from 66% to 74% after moving to Azure Front Door. It is for pages served from PoP servers cache. I don’t know exactly how much this number affects SEO but Google said years ago that page opening speed will matter in future (Speed is now a landing page factor for Google Search and Ads).
Configuring Azure Web Application Firewall
Web Application Firewall (WAF) is Azure offering for web applications. WAF protects web applications from all kind of attacks, including DDoS attacks. WAF works either in protection or detection mode. Detection mode means that WAF only logs suspicious things but doesn’t involve itself. In prevention mode WAF takes action when dangerous request is coming in.
WAF is able to handle attack like cross-site scripting, Java attacks, local file inclusion, PHP injection attacks, remote command execution, remote file inclusion, session fixation, SQL injection attacks and protocol attacks.
Azure Web Application Firewall (WAF) on Azure Front Door. This image is taken from
Azure Front Door documentation page Azure Web Application Firewall on Azure Front Door.
I was first a little suspicious about WAF as it comes with its own price that is not so easy to estimate. This far my NginX was able to survive all anomalies with ease and I didn’t saw much point to enable WAF. I have set of rules defined for WordPress and this has been good enough security net for me this far. But I decided to give WAF a try and I had some good surprises.
The following chart illustrates requests to Azure Front Door end-point. Blue line shows requests sent to backend pool – WordPress cluster. Red line shows all requests that came in to Azure Front Door end-point and dark blue line is the number of requests handled by WAF.
From numbers you see that caching has great impact on how much requests land in backend pool. From web server logs I see that WAF stops almost all weird requests to WordPress. I’m not sure how it’s done but it seems to be really effective on protecting web applications.
Spam stopped immediately! It was normal that Akismet stopped ~100 spam comments per day before lockdown. During lockdown spammers activated and the number of spam doubled up. After enabling WAF there was only one spam message per 48h.
I was actually blown away as I didn’t expect WAF to be so effective.
Be careful with health probes
When I got Azure Front Door up and running I was blown away of load coming to machines in my WordPress cluster. I mean behing NginX the cluster was mostly calm and there was almost no load on WordPress VM-s. I checked web server logs and found out that there are many requests coming in from Azure Front Door PoP servers.
Well… by default health probe requests go to address “/” and interval is 30 seconds. No big deal, you want to say. But it is because all PoP servers use these settings to poll your backend pool. There’s a blog post Beware the non-obvious costs of Azure Front Door by Brett McKenzie where he calculated that healt proble pings came in from ~80 servers across the globe. By documentation there are 129 PoP locations, so I think Brett didn’t saw the full fury of the service.
Solution is simple – make health checks as small as possible. It works well if you set up some empty or one byte file and increase polling period. If your WordPress site is not mission critial then polling interval can be more than 30 seconds. Blog post Real World Cloud Migrations: Azure Front Door for global HTTP and path based load-balancing by Scott Hanselman goes with 255 seconds – it’s a maximum interval.
This issue came to me as a real surprise. I wasn’t able to believe that PoP servers come to poll your site one by one. I first thought that it’s a Front Door service that makes health probe polls and broadcasts results to PoP servers but no. Okay, we can live with this if we don’t let poll requests to anything big or resource consuming. Still for me it’s the annoying fact to live with.
All kind of load balancing on Azure is pricy if we are talking about sites that doesn’t generate a big buck. For simple blogs like I have Azure Front Door would be total overkill on pricing. But for mission critical applications I would use it together with WAF as they work actually well.
So, how much Azure Front Door adds to monthly bill?
In my case it would be around 45 EUR/month.
For commercial site this number is actually small, almost nothing. For private blog it’s too much – you know, it’s 40 discounted beers per month, ooops, lets’s get back to NginX… :) After moving back to NginX it took few hours and Akismet started catching spam again. But during WAF times it was soooo quiet.
Azure Front Door is great service for commercial web sites with more complex topology, fault tolerance or geo-distribution. It may feel pricy for private sites but for commercial sites making normal money it’s nothing. Just imagine other ways to build up something like this on Azure. It would be hell load of complex work and I’m sure it will be more expensive that going with Azure Front Door and WAF. I was actually surprised how easy it was to get Azure Front Door + WAF up and running. It took just few hours but it was my first time to set it up. WAF works well and stops most of malicious requests. I think for global and mission critical sites Azure Front Door with WAF is perfect choice.
- Azure Front Door homepage
- What is Azure Front Door? (Official documentation)
- Azure Web Application Firewall on Azure Front Door (Official documentation)
- Run a web application in multiple Azure regions for high availability (Official documentation)
- Hosting WordPress on Azure (Gunnar Peipman)