Azure Front Door vs Application Gateway: Key Differences and Usage
Front Door is a global, scalable entry point for fast and secure delivery of web applications, focusing on global load balancing and CDN capabilities. Azure Application Gateway is a regional web traffic load balancer with advanced Layer 7 routing and security features like a web application firewall.Quick Comparison
This table summarizes the main differences between Azure Front Door and Application Gateway.
| Feature | Azure Front Door | Azure Application Gateway |
|---|---|---|
| Scope | Global (multi-region) | Regional (single region) |
| Load Balancing Type | Layer 7 (HTTP/HTTPS) global load balancing | Layer 7 (HTTP/HTTPS) regional load balancing |
| SSL Termination | Yes, at edge locations | Yes, at regional gateway |
| Web Application Firewall (WAF) | Yes, integrated | Yes, integrated |
| Protocol Support | HTTP, HTTPS, HTTP/2, WebSocket | HTTP, HTTPS, WebSocket |
| Caching & CDN | Built-in caching and CDN capabilities | No caching or CDN |
Key Differences
Azure Front Door is designed to optimize global web traffic by routing user requests to the nearest healthy backend across multiple regions. It acts like a global front door to your applications, improving performance with caching and fast failover. It terminates SSL at Microsoft's edge locations worldwide, reducing latency.
Application Gateway works within a single Azure region and focuses on advanced Layer 7 routing features such as URL path-based routing, multi-site hosting, and session affinity. It also provides a web application firewall to protect against common web attacks. Unlike Front Door, it does not provide global load balancing or CDN capabilities.
In summary, Front Door is best for global, high-performance, and scalable web delivery, while Application Gateway is ideal for regional traffic management with detailed routing and security controls.
Code Comparison
Example Azure Resource Manager (ARM) template snippet to create an Azure Front Door with a simple frontend and backend pool.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cdn/profiles",
"apiVersion": "2021-06-01",
"name": "myFrontDoorProfile",
"location": "global",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"properties": {}
},
{
"type": "Microsoft.Cdn/profiles/afdEndpoints",
"apiVersion": "2021-06-01",
"name": "myFrontDoorProfile/myFrontDoorEndpoint",
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles', 'myFrontDoorProfile')]"
],
"properties": {
"originGroups": [
{
"name": "originGroup1",
"properties": {
"origins": [
{
"name": "myBackendOrigin",
"properties": {
"hostName": "myapp.azurewebsites.net"
}
}
]
}
}
]
}
}
]
}Application Gateway Equivalent
Example ARM template snippet to create an Azure Application Gateway with a frontend IP, listener, and backend pool.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2022-05-01",
"name": "myAppGateway",
"location": "eastus",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2",
"capacity": 2
},
"gatewayIPConfigurations": [
{
"name": "appGatewayIpConfig",
"properties": {
"subnet": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"
}
}
}
],
"frontendIPConfigurations": [
{
"name": "appGatewayFrontendIP",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/myRG/providers/Microsoft.Network/publicIPAddresses/myPublicIP"
}
}
}
],
"frontendPorts": [
{
"name": "appGatewayFrontendPort",
"properties": {
"port": 443
}
}
],
"sslCertificates": [
{
"name": "appGatewaySslCert",
"properties": {
"data": "<base64-encoded-pfx>",
"password": "<pfx-password>"
}
}
],
"httpListeners": [
{
"name": "appGatewayListener",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/frontendIPConfigurations/appGatewayFrontendIP')]"
},
"frontendPort": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/frontendPorts/appGatewayFrontendPort')]"
},
"protocol": "Https",
"sslCertificate": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/sslCertificates/appGatewaySslCert')]"
}
}
}
],
"backendAddressPools": [
{
"name": "appGatewayBackendPool",
"properties": {
"backendAddresses": [
{
"fqdn": "myapp.azurewebsites.net"
}
]
}
}
],
"backendHttpSettingsCollection": [
{
"name": "appGatewayBackendHttpSettings",
"properties": {
"port": 443,
"protocol": "Https",
"cookieBasedAffinity": "Disabled"
}
}
],
"requestRoutingRules": [
{
"name": "rule1",
"properties": {
"ruleType": "Basic",
"httpListener": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/httpListeners/appGatewayListener')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/backendAddressPools/appGatewayBackendPool')]"
},
"backendHttpSettings": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]"
}
}
}
]
}
}
]
}When to Use Which
Choose Azure Front Door when you need fast global delivery, multi-region failover, and built-in CDN caching for your web applications. It is ideal for global users and scenarios requiring low latency and high availability across regions.
Choose Azure Application Gateway when your application is hosted in a single region and requires advanced Layer 7 routing features like URL path-based routing, session affinity, or detailed WAF policies. It is best for regional traffic management and security within Azure.