The Problem: If you’re experiencing an Azure Front Door outage today and you’re routing traffic from Azure Front Door CDN to a storage account, you need a fast recovery solution to keep your site or application accessible.
The Solution: Set up an Azure Application Gateway with SSL/TLS certificate and configure it to point directly to your Azure Storage account as a temporary (or permanent) failover solution.
Prerequisites
- An active Azure subscription
- An Azure Storage account with static website hosting enabled
- A custom domain (optional, but recommended)
- SSL/TLS certificate for your domain
Step-by-Step Recovery Process
Step 1: Prepare Your Azure Storage Account
- Navigate to your Storage Account in the Azure Portal
- Ensure Static website hosting is enabled under Settings
- Note your storage account’s primary endpoint (e.g.,
https://yourstorageaccount.z13.web.core.windows.net)
Step 2: Create an Azure Application Gateway
- In the Azure Portal, search for “Application Gateway” and click Create
- Fill in the basic configuration:
- Name: Choose a descriptive name (e.g.,
myapp-recovery-appgw) - Region: Select the same region as your storage account or closest to your users
- Tier: Standard V2 or WAF V2 (depending on your needs)
- Enable autoscaling: Optional, based on your traffic patterns
- Name: Choose a descriptive name (e.g.,
Step 3: Configure Frontend IP and Listener
- Frontend IP Configuration:
- Create a new public IP address or select an existing one
- Add a Listener:
- Protocol: HTTPS (or HTTP if testing)
- Port: 443 (or 80 for HTTP)
- Upload your SSL/TLS certificate or use Azure-managed certificates
- Enter your custom domain name
Step 4: Configure Backend Pool
- In the Backend Pools section, click Add
- Target type: Select “IP address or FQDN”
- Enter your storage account’s static website endpoint (without
https://)- Example:
yourstorageaccount.z13.web.core.windows.net
- Example:
Step 5: Configure HTTP Settings
- Create a new HTTP setting:
- Protocol: HTTPS
- Port: 443
- Backend hostname: Select “Override with specific domain name”
- Enter your storage account endpoint
- Enable “Use well known CA certificate”
Step 6: Create Routing Rule
- Connect your listener to the backend pool
- Associate the HTTP settings you created
- Save the configuration
Step 7: Update DNS Records
- Go to your DNS provider
- Update your domain’s A record or CNAME to point to the Application Gateway’s public IP or FQDN
- DNS propagation typically takes 5-15 minutes
Testing Your Setup
- Access your domain and verify the site loads correctly
- Check SSL certificate validity
- Test multiple pages/routes to ensure proper routing
Additional Considerations
Cost: Application Gateway pricing differs from Front Door. Monitor your costs during the outage.
Performance: Application Gateway doesn’t include CDN caching like Front Door. Consider implementing Azure CDN in front of Application Gateway if you need caching.
Long-term Strategy: Once Azure Front Door is restored, you can either:
- Switch back to Front Door
- Keep Application Gateway as a permanent failover option
- Maintain both for redundancy
Long-Term Solution: Implement Azure Traffic Manager for High Availability
For a more resilient architecture going forward, consider implementing Azure Traffic Manager to automatically route traffic between multiple endpoints. This gives you built-in failover capabilities and prevents future outages from impacting your users.
Why Azure Traffic Manager?
Azure Traffic Manager acts as a DNS-based load balancer that can:
- Automatically detect endpoint health and route traffic to healthy endpoints
- Provide failover between Azure Front Door and Application Gateway
- Support multiple routing methods (priority, weighted, geographic, etc.)
- Deliver high availability without manual DNS changes during outages
Setting Up Traffic Manager for Failover
- Create a Traffic Manager Profile:
- Navigate to Traffic Manager in Azure Portal
- Choose Priority routing method for failover scenarios
- Configure DNS TTL (lower values = faster failover, but more DNS queries)
- Add Endpoints:
- Primary Endpoint: Your Azure Front Door instance (Priority 1)
- Secondary Endpoint: Your Application Gateway (Priority 2)
- You can also add your Storage Account’s static website endpoint as a tertiary backup (Priority 3)
- Configure Health Checks:
- Set up custom probe paths (e.g.,
/healthor/index.html) - Define probe interval and timeout values
- Traffic Manager will automatically failover if the primary endpoint fails health checks
- Set up custom probe paths (e.g.,
- Update Your DNS:
- Point your custom domain’s CNAME to the Traffic Manager profile (e.g.,
yourapp.trafficmanager.net) - Traffic Manager handles routing to the appropriate backend based on health and priority
- Point your custom domain’s CNAME to the Traffic Manager profile (e.g.,
Benefits of This Architecture
- Automatic Failover: No manual intervention needed during outages
- Always-On Availability: Traffic automatically routes to healthy endpoints
- Flexible Routing: Can implement geographic routing, weighted distribution, or performance-based routing
- Cost-Effective: Traffic Manager pricing is minimal compared to downtime costs
- Easy Testing: Can easily test failover by disabling endpoints
Recommended Architecture
Your Domain (CNAME)
↓
Azure Traffic Manager (DNS-based routing)
↓
┌───┴───┐
↓ ↓
Priority 1 Priority 2
Azure Azure
Front Door Application Gateway
↓ ↓
Azure Storage Account
This setup ensures that even if Azure Front Door experiences an outage, Traffic Manager automatically redirects users to your Application Gateway without any manual DNS changes or user-facing downtime.
Prevention: Build Resilience for Next Time
- Implement Azure Traffic Manager for automated failover (as described above)
- Document your disaster recovery procedures
- Consider multi-region deployment strategies
- Set up monitoring and alerts for service health with Azure Monitor
- Regularly test your failover procedures