Edit

Share via

DDoS Protection on Azure Front Door

  • Article

Azure Front Door is a Content Delivery Network (CDN) that helps protect your origins from HTTP(S) DDoS attacks by distributing traffic across its 192 edge Points of Presence (POPs) worldwide. These POPs use Azure's large private WAN to deliver your web applications and services faster and more securely to your end users. Azure Front Door includes layer 3, 4, and 7 DDoS protection and a Web Application Firewall (WAF) to safeguard your applications from common exploits and vulnerabilities.

Infrastructure DDoS Protection

Azure Front Door benefits from the default Azure infrastructure DDoS protection. This protection monitors and mitigates network layer attacks in real-time using the global scale and capacity of Azure Front Door’s network. It has a proven track record of safeguarding Microsoft’s enterprise and consumer services from large-scale attacks.

Protocol Blocking

Azure Front Door supports only HTTP and HTTPS protocols and requires a valid Host header for each request. This behavior helps prevent common DDoS attack types such as volumetric attacks using various protocols and ports, DNS amplification attacks, and TCP poisoning attacks.

Capacity Absorption

Azure Front Door is a large-scale, globally distributed service that serves many customers, including Microsoft’s own cloud products, which handle hundreds of thousands of requests per second. Positioned at the edge of Azure’s network, Azure Front Door can intercept and geographically isolate large volume attacks, preventing malicious traffic from reaching beyond the edge of the Azure network.

Caching

You can use Azure Front Door caching capabilities to protect your backends from large traffic volumes generated by an attack. Azure Front Door edge nodes return cached resources, avoiding forwarding them to your backend. Even short cache expiry times (seconds or minutes) on dynamic responses can significantly reduce the load on your backend services. For more information about caching concepts and patterns, see Caching considerations and Cache-aside pattern.

Web Application Firewall (WAF)

You can use Azure Web Application Firewall (WAF) to mitigate various types of attacks:

  • The managed rule set protects your application from many common attacks. For more information, see Managed rules.
  • Block or redirect traffic from specific geographic regions to a static webpage. For more information, see Geo-filtering.
  • Block IP addresses and ranges identified as malicious. For more information, see IP restrictions.
  • Apply rate limiting to prevent IP addresses from calling your service too frequently. For more information, see Rate limiting.
  • Create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.
  • The bot protection managed rule set protects your application from known bad bots. For more information, see Configuring bot protection.

Refer to Application DDoS protection for guidance on using Azure WAF to protect against DDoS attacks.

Protect Virtual Network Origins

Enable Azure DDoS Protection on your origin virtual network to safeguard your public IPs from DDoS attacks. This service offers more benefits such as cost protection, an SLA guarantee, and access to the DDoS Rapid Response Team for expert assistance during an attack.

Enhance the security of your Azure-hosted origins by using Azure Private Link to restrict access to Azure Front Door. This feature establishes a private network connection between Azure Front Door and your application servers, eliminating the need to expose your origins to the public internet.

Next steps