RoboDodd

Recover from Azure Front Door Outages: A Quick Guide

Recover from an Azure Front Door outage fast by routing traffic through Application Gateway, then add Traffic Manager for automatic failover and resilience.

Recover from Azure Front Door Outages: A Quick Guide
Azure Front Door 4 min read

The Problem: If you’re experiencing an Azure Front Door outage today and you’re routing traffic from Azure Front Door CDN to a storage account, you need a fast recovery solution to keep your site or application accessible.

The Solution: Set up an Azure Application Gateway with SSL/TLS certificate and configure it to point directly to your Azure Storage account as a temporary (or permanent) failover solution.

Prerequisites

  • An active Azure subscription
  • An Azure Storage account with static website hosting enabled
  • A custom domain (optional, but recommended)
  • SSL/TLS certificate for your domain

Step-by-Step Recovery Process

Step 1: Prepare Your Azure Storage Account

  1. Navigate to your Storage Account in the Azure Portal
  2. Ensure Static website hosting is enabled under Settings
  3. Note your storage account’s primary endpoint (e.g., https://yourstorageaccount.z13.web.core.windows.net)

Step 2: Create an Azure Application Gateway

  1. In the Azure Portal, search for “Application Gateway” and click Create
  2. Fill in the basic configuration:
    • Name: Choose a descriptive name (e.g., myapp-recovery-appgw)
    • Region: Select the same region as your storage account or closest to your users
    • Tier: Standard V2 or WAF V2 (depending on your needs)
    • Enable autoscaling: Optional, based on your traffic patterns

Step 3: Configure Frontend IP and Listener

  1. Frontend IP Configuration:
    • Create a new public IP address or select an existing one
  2. Add a Listener:
    • Protocol: HTTPS (or HTTP if testing)
    • Port: 443 (or 80 for HTTP)
    • Upload your SSL/TLS certificate or use Azure-managed certificates
    • Enter your custom domain name

Step 4: Configure Backend Pool

  1. In the Backend Pools section, click Add
  2. Target type: Select “IP address or FQDN”
  3. Enter your storage account’s static website endpoint (without https://)
    • Example: yourstorageaccount.z13.web.core.windows.net

Step 5: Configure HTTP Settings

  1. Create a new HTTP setting:
    • Protocol: HTTPS
    • Port: 443
    • Backend hostname: Select “Override with specific domain name”
    • Enter your storage account endpoint
    • Enable “Use well known CA certificate”

Step 6: Create Routing Rule

  1. Connect your listener to the backend pool
  2. Associate the HTTP settings you created
  3. Save the configuration

Step 7: Update DNS Records

  1. Go to your DNS provider
  2. Update your domain’s A record or CNAME to point to the Application Gateway’s public IP or FQDN
  3. DNS propagation typically takes 5-15 minutes

Testing Your Setup

  • Access your domain and verify the site loads correctly
  • Check SSL certificate validity
  • Test multiple pages/routes to ensure proper routing

Additional Considerations

Cost: Application Gateway pricing differs from Front Door. Monitor your costs during the outage.

Performance: Application Gateway doesn’t include CDN caching like Front Door. Consider implementing Azure CDN in front of Application Gateway if you need caching.

Long-term Strategy: Once Azure Front Door is restored, you can either:

  • Switch back to Front Door
  • Keep Application Gateway as a permanent failover option
  • Maintain both for redundancy

Long-Term Solution: Implement Azure Traffic Manager for High Availability

For a more resilient architecture going forward, consider implementing Azure Traffic Manager to automatically route traffic between multiple endpoints. This gives you built-in failover capabilities and prevents future outages from impacting your users.

Why Azure Traffic Manager?

Azure Traffic Manager acts as a DNS-based load balancer that can:

  • Automatically detect endpoint health and route traffic to healthy endpoints
  • Provide failover between Azure Front Door and Application Gateway
  • Support multiple routing methods (priority, weighted, geographic, etc.)
  • Deliver high availability without manual DNS changes during outages

Setting Up Traffic Manager for Failover

  1. Create a Traffic Manager Profile:
    • Navigate to Traffic Manager in Azure Portal
    • Choose Priority routing method for failover scenarios
    • Configure DNS TTL (lower values = faster failover, but more DNS queries)
  2. Add Endpoints:
    • Primary Endpoint: Your Azure Front Door instance (Priority 1)
    • Secondary Endpoint: Your Application Gateway (Priority 2)
    • You can also add your Storage Account’s static website endpoint as a tertiary backup (Priority 3)
  3. Configure Health Checks:
    • Set up custom probe paths (e.g., /health or /index.html)
    • Define probe interval and timeout values
    • Traffic Manager will automatically failover if the primary endpoint fails health checks
  4. Update Your DNS:
    • Point your custom domain’s CNAME to the Traffic Manager profile (e.g., yourapp.trafficmanager.net)
    • Traffic Manager handles routing to the appropriate backend based on health and priority

Benefits of This Architecture

  • Automatic Failover: No manual intervention needed during outages
  • Always-On Availability: Traffic automatically routes to healthy endpoints
  • Flexible Routing: Can implement geographic routing, weighted distribution, or performance-based routing
  • Cost-Effective: Traffic Manager pricing is minimal compared to downtime costs
  • Easy Testing: Can easily test failover by disabling endpoints
Your Domain (CNAME)
        ↓
Azure Traffic Manager (DNS-based routing)
        ↓
    ┌───┴───┐
    ↓       ↓
Priority 1  Priority 2
Azure       Azure
Front Door  Application Gateway
    ↓           ↓
Azure Storage Account

This setup ensures that even if Azure Front Door experiences an outage, Traffic Manager automatically redirects users to your Application Gateway without any manual DNS changes or user-facing downtime.

Prevention: Build Resilience for Next Time

  • Implement Azure Traffic Manager for automated failover (as described above)
  • Document your disaster recovery procedures
  • Consider multi-region deployment strategies
  • Set up monitoring and alerts for service health with Azure Monitor
  • Regularly test your failover procedures