Developer Hub / Infrastructure / Azure Front Door Architecture

Azure Front Door Architecture

QI3IX Global CDN & Traffic Management Infrastructure

What is Azure Front Door?

Azure Front Door is Microsoft's modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access to our global web applications. It acts as the single global entry point for all 54 of our custom domains, routing traffic to the appropriate backend services based on intelligent rules and health monitoring.

Key Concept

Think of Front Door as a sophisticated traffic director at a massive intersection. When users visit any of our domains (like www.drantech.ai or www.celljourney.com), Front Door receives that request first, determines the best backend server to handle it, ensures that server is healthy, and then routes the traffic accordingly — all in milliseconds.

Core Capabilities

QI3IX Front Door Infrastructure by the Numbers

1

Front Door Profile

54

Custom Domains

14

Origin Groups

7

Production Apps

Infrastructure Details

  • Front Door Profile: qi3ix-global-frontdoor (Corporate resource group)
  • Endpoint: qi3ix-global (qi3ix-global-czadf0eycxfxe9fn.z01.azurefd.net)
  • SKU: Premium_AzureFrontDoor (includes WAF, enhanced security)
  • Health Probe Standard: /api/health on HTTP (30-second intervals)
  • Routing Pattern: One route per domain with /* wildcard

Request Flow Architecture

User Request → Production App Response

User

www.drantech.ai

Front Door

SSL Termination
Health Check
Route Matching

Origin Group

drantechai-backend

App Service

Dranschak-East2-App
(Flask Application)

Step-by-Step Request Processing

  1. DNS Resolution: User's browser resolves www.drantech.ai to Front Door's global endpoint
  2. Front Door Reception: Request hits nearest Azure edge location (global anycast)
  3. SSL Termination: Front Door decrypts HTTPS traffic using managed SSL certificate
  4. Route Matching: Front Door matches domain to specific route (drantechai-route)
  5. Health Check Verification: Confirms origin group backend is healthy (recent /api/health probe succeeded)
  6. Backend Selection: Selects healthy backend from origin group (Dranschak-East2-App)
  7. Request Forwarding: Forwards request to App Service over Azure backbone network
  8. Response Delivery: Flask app processes request, returns response through Front Door to user
  9. CDN Caching: Static assets cached at edge for subsequent requests

Critical Health Probe Requirement

If a backend's /api/health endpoint returns anything other than HTTP 200 OK, Front Door marks that origin as UNHEALTHY and stops routing traffic to it. This causes 503 Service Unavailable errors for all domains routed to that origin group. Every Flask app MUST have a functioning /api/health endpoint.

Domain Inventory (54 Total)

Production Domains (7 Active) LIVE

www.drantech.ai

DranTechAI Developer Hub

www.celljourney.com

CellJourney Biotech Platform

www.enableyou.ai

EnableYou QSPECTIVE Portal

www.laughinguphill.com

Laughing Uphill Adventure Hub

www.qspective.com

QSPECTIVE AI Platform

www.blockifyai.com

BlockifyAI Services

www.thedranschaks.com

Family Platform

Strategic Reserve Domains (47 Total) HOLDING PAGE

The following domains are registered and configured in Front Door but serve a professional "Coming Soon" holding page. They route to the holding-page-origin-group origin group.

landjglobal.com

Strategic reserve

5whyglobal.com

Strategic reserve

youtelligence.com

Strategic reserve

quantumstak.com

Strategic reserve

qi3ix.com

Strategic reserve

qspective.ai

Strategic reserve

+ 41 more domains

See AZURE_FRONTDOOR_INVENTORY.md for complete list

Origin Groups Configuration (14 Total)

Origin groups are logical collections of backend servers. Front Door routes traffic to origin groups, which then distribute requests across their configured origins (App Services or Static Web Apps). Each origin group includes health probe settings to monitor backend availability.

Flask App Service Origin Groups (5 Total)

drantechai-backend

Origin: Dranschak-East2-App.azurewebsites.net Health Probe: /api/health (HTTP, 30s interval) App Type: Flask App Service Domains: www.drantech.ai Status: ✓ HEALTHY

celljourney-backend

Origin: cell-journet.azurewebsites.net Health Probe: /api/health (HTTP, 30s interval) App Type: Flask App Service Domains: www.celljourney.com Status: ✓ HEALTHY

enableyou-backend

Origin: enable-you-ai.azurewebsites.net Health Probe: /api/health (HTTP, 30s interval) App Type: Flask App Service Domains: www.enableyou.ai Status: ✓ HEALTHY

laughinguphill-backend

Origin: laughing-uphill.azurewebsites.net Health Probe: /api/health (HTTP, 30s interval) App Type: Flask App Service Domains: www.laughinguphill.com Status: ✓ HEALTHY

holding-page-origin-group

Origin: gray-dune-04b84ce0f.5.azurestaticapps.net (temporary) Health Probe: /api/health (HTTP, 30s interval) App Type: Azure Static Web App (holding page) Domains: 47 strategic reserve domains Status: ✓ HEALTHY

Static Web App Origin Groups (9 Total)

These origin groups serve Azure Static Web Apps. Most are internal development environments or specialized deployment targets. They typically use / as the health probe path (default for static sites).

Origin Group Name Static App Health Probe Purpose
sarcastic-mushroom sarcastic-mushroom-*.azurestaticapps.net /api/health Deployment environment
red-beach red-beach-*.azurestaticapps.net /api/health Deployment environment
red-mushroom red-mushroom-*.azurestaticapps.net /api/health Deployment environment
novadyme novadyme-*.azurestaticapps.net /api/health NovaDyme platform
happy-dune happy-dune-*.azurestaticapps.net / (needs update) Deployment environment
a-lucky-fig a-lucky-fig-*.azurestaticapps.net / (needs update) Deployment environment
five-why five-why-*.azurestaticapps.net / (needs update) 5Why platform
gray-dune gray-dune-*.azurestaticapps.net / (needs update) Temporary holding page host
green-rock green-rock-*.azurestaticapps.net / (needs update) Deployment environment

Configuration Update Required

Six origin groups (happy-dune, a-lucky-fig, five-why, gray-dune, green-rock, white-sky) currently use / as the health probe path. These should be updated to /api/health for consistency and better monitoring. The configuration script scripts/azure/configure_frontdoor_complete.ps1 handles these updates automatically.

Route Configuration Strategy

QI3IX uses a one route per domain architecture. Each of the 54 custom domains has a dedicated route that maps the domain to its designated origin group. This provides clear separation, easier debugging, and straightforward configuration management.

Standard Route Configuration 

Route Name Pattern: [domain-name]-route
Example: drantechai-route

Route Settings:
├─ Patterns to match: www.drantech.ai/*
├─ Origin group: drantechai-backend
├─ Forwarding protocol: HTTPS only
├─ Query string caching: Ignore query string
├─ Dynamic compression: Enabled
└─ HTTPS redirect: Enabled (301 permanent redirect)

Key Route Mappings

Route Name Domain Pattern Origin Group Backend Type
drantechai-route www.drantech.ai/* drantechai-backend Flask App Service
celljourney-route www.celljourney.com/* celljourney-backend Flask App Service
enableyou-route www.enableyou.ai/* enableyou-backend Flask App Service
laughinguphill-route www.laughinguphill.com/* laughinguphill-backend Flask App Service
landjglobal-route landjglobal.com/* holding-page-origin-group Static Web App
+ 49 more routes (see complete inventory)

Health Monitoring & Probes

Azure Front Door continuously monitors backend health to ensure traffic is only routed to healthy servers. Every 30 seconds, Front Door sends HTTP GET requests to the configured health probe path. Backends must respond with HTTP 200 OK within the timeout period to be considered healthy.

Standard Health Probe Configuration 

Health Probe Settings (All Origin Groups):
├─ Path: /api/health
├─ Protocol: HTTP (not HTTPS)
├─ Method: GET or HEAD
├─ Interval: 30 seconds
├─ Timeout: 5 seconds
├─ Successful samples required: 2-3
└─ Unhealthy threshold: 2 consecutive failures

Why HTTP instead of HTTPS?
• Front Door terminates SSL at the edge
• Backend probes use internal Azure network (no SSL needed)
• Faster probe responses (no SSL handshake)
• Microsoft official recommendation for App Service origins

Flask Health Endpoint Implementation 

@app.route("/api/health", methods=["GET", "HEAD"])
def api_health():
    """
    Front Door health probe endpoint.
    CRITICAL: Must always return 200 OK for Front Door to route traffic.
    - Do NOT add authentication
    - Do NOT add database checks
    - Do NOT add heavy logic
    - Must be fast (< 500ms)
    """
    return "OK", 200

Critical Failure Scenarios

Front Door will serve 503 Service Unavailable if:

  • Health probe is disabled in origin group configuration
  • Health probe path is incorrect (e.g., /health instead of /api/health)
  • /api/health endpoint returns any status code other than 200 OK
  • /api/health endpoint has redirects (301/302/307)
  • App Service fails to start or warmup
  • Backend host header mismatch (rare)

Health Status Monitoring 

# Check origin health status via Azure CLI
az afd origin show \
  --resource-group Corporate \
  --profile-name qi3ix-global-frontdoor \
  --origin-group-name drantechai-backend \
  --origin-name dranschak-east2-app \
  --query "healthProbeSettings"

# Expected response for healthy origin:
{
  "probePath": "/api/health",
  "probeProtocol": "Http",
  "probeRequestType": "GET",
  "probeIntervalInSeconds": 30
}

Deployment & Operations

Configuration Management Scripts

QI3IX maintains automated PowerShell scripts for Front Door configuration and auditing:

configure_frontdoor_complete.ps1

Location: scripts/azure/configure_frontdoor_complete.ps1 Purpose: Complete Front Door configuration automation Operations: Update health probes, create origin groups, create 54 routes

This script handles all Front Door configuration in three phases: (1) updates 6 origin groups to use /api/health, (2) creates holding-page-origin-group, (3) creates 54 individual routes with domain mappings.

audit_frontdoor_routes.ps1

Location: scripts/azure/audit_frontdoor_routes.ps1 Purpose: Verify route configuration and health probe settings Operations: List all routes, check health probes, validate domain mappings

Post-Deployment Validation Checklist

Common Troubleshooting Scenarios

Issue: 503 Service Unavailable on Custom Domain

Root Cause: Front Door marked origin unhealthy

Resolution Steps:

  1. Test origin health directly: curl https://[app].azurewebsites.net/api/health
  2. Verify returns 200 OK
  3. Check Front Door origin health state in Azure Portal
  4. Review Front Door health probe configuration (path, protocol, interval)
  5. Wait 30-60 seconds for Front Door to re-probe

Issue: Deployment Succeeds, Site Still 503

Root Cause: Front Door hasn't completed successful health probe yet

Resolution: Wait 30-60 seconds for Front Door probe interval, then verify origin health in Azure Portal

Performance Optimization & Scaling

Global CDN Coverage

Azure Front Door operates from 100+ edge locations worldwide. When a user requests content, Front Door routes the request to the nearest edge location, significantly reducing latency. Static assets (images, CSS, JavaScript) are cached at the edge, reducing load on backend servers and improving response times.

100+

Edge Locations Worldwide

< 50ms

Average Edge Latency

70-90%

Cache Hit Ratio

99.99%

SLA Uptime Guarantee

Scaling Strategies

Security Architecture

SSL/TLS Management

Front Door manages SSL certificates for all 54 custom domains automatically. Certificates are provisioned via Azure's partnership with DigiCert and auto-renew before expiration. This eliminates manual certificate management overhead.

SSL Certificate Benefits

  • Automatic provisioning for all custom domains
  • Auto-renewal 45 days before expiration
  • No manual certificate uploads or configuration
  • TLS 1.2+ enforcement (no legacy protocols)
  • HTTP to HTTPS 301 redirect (automatic)

DDoS Protection

Azure Front Door Premium SKU includes Azure DDoS Protection Standard at no additional cost. This provides always-on traffic monitoring and automatic mitigation of common network-layer attacks (SYN floods, UDP floods, reflection attacks).

Web Application Firewall (WAF) - Future Enhancement

The Premium SKU supports Azure WAF for application-layer protection (SQL injection, XSS, etc.). This can be enabled in future phases as traffic patterns and security requirements evolve.

Cost Structure & Optimization

Pricing Components

Component Pricing Model Estimated Monthly Cost
Front Door Profile (Premium) Fixed monthly fee ~$35 base
Data Transfer (Outbound) Per GB transferred to internet Varies by traffic volume
Custom Domains (54 total) Included (no per-domain fee) $0
SSL Certificates (54 total) Included (Azure-managed certs) $0
Health Probes Included in base fee $0

Cost Optimization Tips

  • Maximize CDN caching to reduce data transfer costs
  • Use compression for text-based content (HTML, CSS, JS, JSON)
  • Optimize image sizes before uploading
  • Monitor data transfer metrics in Azure Portal
  • Set appropriate cache-control headers on static assets

Documentation & Resources

QI3IX Internal Documentation

AZURE_FRONTDOOR_INVENTORY.md

Complete inventory of 54 domains and 14 origin groups

FRONTDOOR_CONFIGURATION_SUMMARY.md

Detailed implementation guide with verification steps

FRONTDOOR_QUICKSTART.md

Quick reference guide for common operations

azure_frontdoor_deployment_rules.instructions.md

Deployment rules and health probe requirements

Microsoft Azure Documentation

Back to Developer Hub