Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Front Door is a modern cloud content delivery network (CDN) service that delivers high performance, scalability, and secure user experiences for your content and applications. As a global entry point for your applications, Azure Front Door handles massive amounts of traffic and serves as a critical security boundary, making it essential to implement robust security measures to protect against threats and ensure reliable service delivery.
This article provides guidance on how to best secure your Azure Front Door deployment.
Network security
Network security for Azure Front Door focuses on establishing secure connections between your CDN service and backend origins while protecting against external threats. Since Front Door operates at the network edge and handles global traffic distribution, implementing proper network controls ensures that your applications remain protected and accessible only through authorized channels.
Secure backend connections with Private Link: Use Azure Private Link to establish secure, private connections between Azure Front Door and your backend services. This prevents traffic from traversing the public internet and reduces exposure to network-based attacks. For more information, see Secure your Origin with Private Link in Azure Front Door.
Protect against DDoS attacks with built-in protection: Azure Front Door includes infrastructure DDoS protection that monitors and mitigates network layer attacks in real-time using the global scale of Azure's network. The service blocks unsupported protocols and requires valid Host headers to prevent common DDoS attack vectors. For more information, see DDoS Protection on Azure Front Door.
Implement origin security controls: Configure your origins to accept traffic only from Azure Front Door by using IP filtering with the
AzureFrontDoor.Backendservice tag and validating the X-Azure-FDID header value. This prevents attackers from bypassing Front Door's security features. For more information, see Secure traffic to Azure Front Door origins.
Data protection
Data protection in Azure Front Door ensures that sensitive information remains secure both in transit and when stored, while providing you with control over encryption keys and certificates. Protecting data as it flows through your CDN infrastructure is critical for maintaining customer trust and meeting compliance requirements.
Leverage automatic encryption in transit: Azure Front Door automatically encrypts all data in transit using TLS, protecting communications between clients and your service without requiring additional configuration. This ensures that sensitive data remains protected as it travels across the network. For more information, see End-to-end TLS with Azure Front Door.
Manage encryption keys with Azure Key Vault: Store and manage your encryption keys in Azure Key Vault to maintain control over the key lifecycle, including generation, rotation, and revocation. Use key hierarchies with separate data encryption keys (DEK) and key encryption keys (KEK) for enhanced security. For more information, see Secure your Origin with Private Link in Azure Front Door.
Asset management
Asset management for Azure Front Door involves implementing configuration monitoring and policy enforcement to ensure your CDN deployment remains compliant with security standards. Proper asset management helps maintain consistent security configurations across your infrastructure and provides visibility into potential security drift.
Monitor configurations with Azure Policy: Use Azure Policy to continuously monitor and enforce security configurations across your Azure Front Door resources. Configure policies to audit compliance with your organization's security standards and automatically remediate configuration drift. For more information, see Azure Front Door Policies.
Implement configuration alerts: Set up Azure Monitor alerts to notify you when Azure Front Door configurations deviate from approved security baselines. Use policy effects like "deny" and "deploy if not exists" to automatically enforce secure configurations across your resources.