Azure Front Door enhances secure cloud CDN with intelligent threat protection
This blog post was co-authored by Jessie Jia, Senior Program Manager
The Internet is the new corporate network and the fabric that connects users, devices, and data to applications of all types. It is foundational to how organizations run their businesses, engage their customers, conduct commerce, operate their supply chain, and enable their employees to work from anywhere. However, while the Internet is highly scalable and ever expanding, it is not always well optimized for the wide variety of applications and user experiences, and has little cybersecurity protections in place to secure applications from rising security threats and vulnerabilities.
Given how central these workloads are for enterprises, they look for a new class of content delivery network (CDN) which goes beyond caching, and can meet their availability, latency, scalability, and more importantly, the security goals. In addition, they have requested for a single unified platform which caters to both dynamic and static acceleration with built in turnkey security integration, and a simple and predictable pricing model.
To address these customer requirements, we're introducing the preview of two new SKUs to the Azure Front Door family, which combines capabilities of Azure Front Door, Azure Content Delivery Network (CDN) standard, and Azure Web Application Firewall (WAF) into a single secure cloud CDN platform with intelligent threat protection and a simple to understand pricing model.
Azure Front Door standard SKU is content delivery optimized, offering both static and dynamic content acceleration, global load balancing, SSL offload, domain and certificate management, enhanced traffic analytics, and basic security capabilities.
Azure Front Door premium SKU builds on capabilities of the standard SKU, and adds extensive security capabilities across WAF, BOT protection, Azure Private Link support, integration with Microsoft Threat Intelligence, and security analytics.
Figure 1: New Azure Front Door SKUs
Azure Front Door standard and premium overview
The new Azure Front Door provides you with an easy way to secure and accelerate apps, APIs, and websites. The key benefits which you get using Azure Front Door include:
- Improved application security with integrated WAF protection against the Open Web Application Security Project (OWASP) top 10 vulnerabilities, custom rules for application-specific protection, and Bot Manager protection against automatic malicious attacks, all integrated with Microsoft Threat Intelligence, with built-in layer 3 to 4 distributed denial of service (DDoS) protection.
- Enhanced static and dynamic site acceleration at the network edge close to the user, instant scale-out without warm-up, global HTTP load balancing with instant failover, and fully customizable rules engine for advanced routing capabilities.
- Built on Microsoft's massive-scale private global network, Azure Front Door is a proven platform used to power some of the largest and latency sensitive global services at Microsoft, such as Microsoft Office 365, Bing, LinkedIn, and Xbox.
- Simplified deployment and automation with a cloud-native and developer-friendly service that is fully representational state transfer (REST) API driven.
In addition to supporting all features available on Azure CDN standard, Azure Front Door, and Azure Web Application Firewall, the new standard and premium SKUs also add the following new capabilities in this preview:
Simplified and integrated user experience
The new SKUs offer the combined capabilities of Azure Front Door, Azure CDN standard and Azure Web Application Firewall in a refreshed new portal experience.
- Simplified Front Door creation: We have added Quick create that dramatically reduces the deployment steps and configuration. We also provide a new guided experience that lets you choose the correct SKU based on your usage scenario. The existing Azure Front Door and CDN offerings are also accessible from this unified experience.
- Simplified management experience: We have also enhanced the domain validation experience by removing reliance on CNAME subdomain-based verification to exclusively rely on domain name system (DNS) TXT record-based validation. The domain validation is seamlessly integrated with Azure DNS which further reduces delays in validation and eliminates dangling subdomain issues.
- TLS certificate management: Both standard and premium SKUs also offer Azure managed transport layer security (TLS) certificates by default for all of your custom domains at no additional cost. You never have to worry about TLS certificate expiry. You can opt to bring in your own TLS certificates by utilizing the built-in integration with Azure Key Vault.
Security and private origins
- Private origin support: Integration with Azure Private Link is an industry first CDN capability that enables customers to keep their origins private and embrace a zero-trust access model. This integration removes the necessity of having origins with public internet accessible IP addresses, thereby significantly reducing the surface area. Any PaaS service that integrates with Azure Private Link like Azure Storage and Azure App Services can be used as private origin. Your IaaS services running behind an Azure Load Balancer can also be enabled for Azure Private Link access.
- WAF enhancements: Azure Front Door premium SKU also enhances WAF capabilities by integrating Microsoft Threat Intelligence authored rules, CRS 3.2 signatures and Bot Manager that effectively protect applications from the OWASP top 10 and automated Bot vulnerabilities.
Analytics and telemetry
- Enhanced analytics capabilities for better troubleshooting and debugging. In addition to enhancing access logs and offering additional metrices, the new SKUs also provide pre-canned reports on traffic delivery and security.
- Azure Front Door health probe log: In addition to offering more metrices and enhancements in diagnostics logs, we are also introducing the health probe diagnostic log that allows you to debug if any origin is deemed unhealthy.
Traffic report by location
We have reduced billing complexities by having fewer meters that customers need to plan for. Each SKU includes a fixed monthly fee, tiered egress (data transfer outbound), requests per seconds (RPS), and ingress (data transfer inbound) fees. Azure Front Door premium SKU includes WAF, DDoS, Bot protection, and private link capabilities. Please refer to Azure Front Door pricing page for more details.
Get started with the Azure Front Door preview today to explore more new capabilities. If you are interested in exploring capabilities beyond the standard offering, simply file a feature request on our UserVoice page or feel free to contact us via email. We’d love to hear your feedback!
Please stay tuned for more capabilities coming up by general availability.
For more information on everything we covered in this blog post, please see the following:
- Azure Front Door standard and premium on Azure Portal
- Azure Network Security Tech Community blog
- Azure Network Security GitHub repository
- Azure Front Door standard and premium (preview).
- Azure Front Door standard and premium (preview) pricing.
- Azure Front Door standard and premium (preview) documentation.
Source: Azure Blog Feed