software

Phase 2 — Global Routing with Azure Front Door (Standard) Using Azure CLI

Published: (February 27, 2026 at 11:57 PM EST)
4 min read
Source: Dev.to

Source: Dev.to

Overview

In Phase 1 we deployed regional App Services.
Phase 2 elevates the architecture by adding a global entry point using Azure Front Door (Standard) – all via Azure CLI in Cloud Shell.

Typical request flow:

User

Azure Front Door (Global Edge)

Origin Group

App Service (SEA)

Even with a single region (due to quota constraints), this setup provides:

  • Global Anycast entry point
  • Edge TLS termination
  • Health‑probe‑based routing
  • Future‑ready multi‑region expansion

Resources in a Single Resource Group

  • Azure Front Door Profile (Standard)
  • Endpoint
  • Origin Group
  • Origin (App Service)
  • Route
RG=rg-afd-lab
PROFILE_NAME=afd-profile
ENDPOINT_NAME=afd-endpoint

Create the Front Door Profile

az afd profile create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --sku Standard_AzureFrontDoor

Create the Endpoint

az afd endpoint create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --enabled-state Enabled

Get the endpoint hostname

az afd endpoint show \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --query hostName -o tsv

You’ll receive a hostname such as:

.z01.azurefd.net

Create the Origin Group

ORIGIN_GROUP=app-origin-group

az afd origin-group create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP \
  --probe-request-type GET \
  --probe-protocol Https \
  --probe-path "/" \
  --probe-interval-in-seconds 30

This enables health checks every 30 seconds on /.

Add the Origin (App Service)

az afd origin create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP \
  --origin-name sea-origin \
  --host-name app-sea-3446.azurewebsites.net \
  --origin-host-header app-sea-3446.azurewebsites.net \
  --priority 1 \
  --weight 1000 \
  --enabled-state Enabled

Important

  • origin-host-header must match the App Service hostname.
  • HTTPS certificate validation is enforced by default; mismatches cause errors.

Create the Route (Standard SKU requires a domain)

az afd route create \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  --route-name app-route \
  --origin-group $ORIGIN_GROUP \
  --supported-protocols Http Https \
  --patterns-to-match "/*" \
  --forwarding-protocol MatchRequest \
  --https-redirect Enabled \
  --link-to-default-domain Enabled

If you omit --link-to-default-domain Enabled, the command fails with:

(BadRequest) At least one domain is required for the route.

Verify the Route

az afd route list \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --endpoint-name $ENDPOINT_NAME \
  -o table

You should see:

  • ProvisioningState = Succeeded
  • DeploymentStatus = Succeeded

If DeploymentStatus = NotStarted, the route has not yet been activated at the edge.

Trigger activation

curl https://

The first request causes Front Door to deploy globally. A successful response looks like:

Hello from Southeast Asia

If you receive:

404 Not Found
X-Cache: CONFIG_NOCACHE

the route is not fully deployed to the edge yet (configuration‑level issue, not a backend problem).

Verify the backend directly

curl -I https://app-sea-3446.azurewebsites.net
  • If the backend returns 200, the issue lies with route activation.
  • If the route remains stuck, delete and recreate it:
az afd route delete   # add appropriate identifiers
az afd route create   # repeat the creation command

Recreating forces a global redeployment.

Inspect the Origin Group

az afd origin-group show \
  --resource-group $RG \
  --profile-name $PROFILE_NAME \
  --origin-group-name $ORIGIN_GROUP

Key fields to confirm:

  • "probePath": "/"
  • "probeProtocol": "Https"
  • "provisioningState": "Succeeded"

Architecture Diagram (textual)

Internet

Azure Front Door Edge (Anycast)

Origin Group

App Service (SEA)

Even with a single region you now have:

  • Global entry point
  • Edge TLS termination
  • Health‑probe routing
  • Production‑ready structure
  • Capability for multi‑region expansion

Key Lessons from Phase 2

  • Standard SKU requires domain linkage for routes.
  • DeploymentStatus = NotStarted indicates the edge has not been activated.
  • CONFIG_NOCACHE 404 is a configuration‑level response, not a backend error.
  • The route object triggers global edge deployment.
  • Health probes must succeed before activation.

Next Steps (Phase 3)

  • Add Web Application Firewall (WAF)
  • Configure custom domain + managed TLS
  • Enable Azure Monitor diagnostics
  • Implement active/passive failover
  • Scale to multiple regions
0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

Google Gemini Writing Challenge

What I Built - Where Gemini fit in - Used Gemini’s multimodal capabilities to let users upload screenshots of notes, diagrams, or code snippets. - Gemini gener...