Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

profiles

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Avoid combining Traffic Manager and Front DoorHighBusiness ContinuityYesVerified
Restrict traffic to your originsHighSecurityNoVerified
Use the latest API version and SDK versionMediumScalabilityNoVerified
Configure logsMediumMonitoring and AlertingNoVerified
Use end-to-end TLSHighSecurityYesVerified
Use HTTP to HTTPS redirectionHighSecurityYesVerified
Use managed TLS certificatesHighSecurityNoVerified
Use latest version for customer-managed certificatesMediumHigh AvailabilityNoVerified
Use the same domain name on Front Door and your originMediumGovernanceNoVerified
Enable the WAFMediumSecurityYesVerified
Disable health probes when there is only one origin in an origin groupLowHigh AvailabilityYesVerified
Select good health probe endpointsMediumHigh AvailabilityNoVerified
Use HEAD health probesMediumScalabilityNoVerified
Use geo-filtering in Azure Front DoorMediumSecurityNoVerified
Secure your Origin with Private Link in Azure Front DoorMediumSecurityNoVerified
Avoid using Classic Azure Front DoorHighService Upgrade and RetirementNoPreview

Details


Avoid combining Traffic Manager and Front Door

Impact:  High Category:  Business Continuity PG Verified:  Verified

APRL GUID:  9437634c-d69e-2747-b13e-631c13182150

Description:

For most solutions, choose either Azure Front Door for content caching, CDN, TLS termination, and WAF, or Traffic Manager for simple global load balancing.

Potential Benefits:

Optimized network routing and security
Learn More:
Azure Load Balancing Options
Azure Traffic Manager
Azure Front Door
Mission-critical global content delivery

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Avoid combining Traffic Manager and Front Door
resources
| where type == "microsoft.network/trafficmanagerprofiles"
| mvexpand(properties.endpoints)
| extend endpoint=tostring(properties_endpoints.properties.target)
| project name, trafficmanager=id, matchname=endpoint, tags
| join (
    resources
    | where type =~ "microsoft.cdn/profiles/afdendpoints"
    | extend matchname= tostring(properties.hostName)
    | extend splitid=split(id, "/")
    | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
    | project name, id, matchname, frontdoorid, type
    | union
        (cdnresources
        | where type =~ "Microsoft.Cdn/Profiles/CustomDomains"
        | extend matchname= tostring(properties.hostName)
        | extend splitid=split(id, "/")
        | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
        | project name, id, matchname, frontdoorid, type)
    )
    on matchname
| project
    recommendationId = "9437634c-d69e-2747-b13e-631c13182150",
    name=split(trafficmanager, "/")[-1],
    id=trafficmanager,
    tags,
    param1=strcat("hostname:", matchname),
    param2=strcat("frontdoorid:", frontdoorid)



Restrict traffic to your origins

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  6c40b7ae-2bea-5748-be1a-9e9e3b834649

Description:

Front Door's features perform optimally when traffic exclusively comes through Front Door. It's advised to set up your origin to deny access to traffic that bypasses Front Door.

Potential Benefits:

Enhances security and performance
Learn More:
Secure traffic to Azure Front Door origins

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use the latest API version and SDK version

Impact:  Medium Category:  Scalability PG Verified:  Verified

APRL GUID:  52bc9a7b-23c8-bc4c-9d2a-7bc43b50104a

Description:

When working with Azure Front Door through APIs, ARM templates, Bicep, or SDKs, using the latest API or SDK version is crucial. Updates bring new functions, important security patches, and bug fixes.

Potential Benefits:

Enhanced security and features
Learn More:
REST API Reference
Client library for Java
SDK for Python

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Configure logs

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  1ad74c3c-e3d7-0046-b83f-a2199974ef15

Description:

Front Door logs offer comprehensive telemetry on each request, crucial for understanding your solution's performance and responses, especially when caching is enabled, as origin servers might not receive every request.

Potential Benefits:

Enhanced insights and solution monitoring
Learn More:
Monitor metrics and logs in Azure Front Door
WAF logs
Configure Azure Front Door logs

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use end-to-end TLS

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1

Description:

Front Door terminates TCP and TLS connections from clients and establishes new connections from each PoP to the origin. Securing these connections with TLS, even for Azure-hosted origins, ensures data is always encrypted during transit.

Potential Benefits:

Ensures data encryption in transit
Learn More:
End-to-end TLS with Azure Front Door

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Use end-to-end TLS
cdnresources
| where type == "microsoft.cdn/profiles/afdendpoints/routes"
| extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols
| project id,name,forwardingProtocol,supportedProtocols,tags
| where forwardingProtocol !~ "httpsonly" or supportedProtocols has "http"
| project recommendationId= "d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1", name,id,tags,param1=strcat("forwardingProtocol:",forwardingProtocol),param2=strcat("supportedProtocols:",supportedProtocols)



Use HTTP to HTTPS redirection

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  24ab9f11-a3e4-3043-a985-22cf94c4933a

Description:

Using HTTPS is ideal for secure connections. However, for compatibility with older clients, HTTP requests may be necessary. Azure Front Door enables auto redirection of HTTP to HTTPS, enhancing security without sacrificing accessibility.

Potential Benefits:

Enhances security and compliance
Learn More:
Create HTTP to HTTPS redirect rule

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Use HTTP to HTTPS redirection
cdnresources
| where type == "microsoft.cdn/profiles/afdendpoints/routes"
| extend httpsRedirect=tostring(properties.httpsRedirect)
| project id,name,httpsRedirect,tags
| where httpsRedirect !~ "enabled"
| project recommendationId= "24ab9f11-a3e4-3043-a985-22cf94c4933a", name,id,tags,param1=strcat("httpsRedirect:",httpsRedirect)



Use managed TLS certificates

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  29d65c41-2fad-d142-95eb-9eab95f6c0a5

Description:

When Front Door manages your TLS certificates, it reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate. Front Door automatically issues and rotates the managed TLS certificates.

Potential Benefits:

Lowers costs, avoids outages
Learn More:
Configure HTTPS on an Azure Front Door custom domain using the Azure portal

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use latest version for customer-managed certificates

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  4638c2c0-03de-6d42-9e09-82ee4478cbf3

Description:

If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments.

Potential Benefits:

Saves time and automates TLS updates
Learn More:
Select the certificate for Azure Front Door to deploy

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use the same domain name on Front Door and your origin

Impact:  Medium Category:  Governance PG Verified:  Verified

APRL GUID:  cd6a32af-747a-e649-82a7-a98f528ca842

Description:

Front Door can rewrite Host headers for custom domain names routing to a single origin, useful for avoiding custom domain configuration at both Front Door and the origin.

Potential Benefits:

Improves session/auth handling
Learn More:
Preserve the original HTTP host name between a reverse proxy and its back-end web application

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Enable the WAF

Impact:  Medium Category:  Security PG Verified:  Verified

APRL GUID:  1bd2b7e8-400f-e64a-99a2-c572f7b08a62

Description:

For internet-facing applications, enabling the Front Door web application firewall (WAF) and configuring it to use managed rules is recommended for protection against a wide range of attacks using Microsoft-managed rules.

Potential Benefits:

Enhances web app security
Learn More:
Web Application Firewall on Azure Front Door

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Enable the WAF

resources
| where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor"
| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)
| join kind= fullouter (
    cdnresources
    | where type == "microsoft.cdn/profiles/securitypolicies"
    | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])
    | extend splitid=split(id, "/")
    | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
    | project secpolname=name, cdnprofileid, wafpolicyid
    )
    on cdnprofileid
| project name, cdnprofileid, secpolname, wafpolicyid,skuname
| join kind = fullouter (
    resources
    | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies"
    | extend
        managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false),
        enabledState = tostring(properties.policySettings.enabledState)
    | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)
    )
    on wafpolicyid
| where name != ""
| summarize
    associatedsecuritypolicies=countif(secpolname != ""),
    wafswithmanagedrules=countif(managedrulesenabled == 1)
    by name, id=cdnprofileid, tags,skuname
| where associatedsecuritypolicies == 0 or wafswithmanagedrules  == 0
| project
    recommendationId = "1bd2b7e8-400f-e64a-99a2-c572f7b08a62",
    name,
    id,
    todynamic(tags),
    param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies),
    param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules),
    param3 = strcat("skuname:",skuname)



Disable health probes when there is only one origin in an origin group

Impact:  Low Category:  High Availability PG Verified:  Verified

APRL GUID:  38f3d542-6de6-a44b-86c6-97e3be690281

Description:

Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.

Potential Benefits:

Reduces unnecessary origin traffic
Learn More:
Health probes

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Disable health probes when there is only one origin in an origin group
cdnresources
| where type =~ "microsoft.cdn/profiles/origingroups"
| extend healthprobe=tostring(properties.healthProbeSettings)
| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe
| join (
    cdnresources
    | where type =~ "microsoft.cdn/profiles/origingroups/Origins"
    | extend origingroupname = tostring(properties.originGroupName)
    )
    on origingroupname
| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId
| where origincount == 1 and enabledhealthprobecount != 0
| project
    recommendationId = "38f3d542-6de6-a44b-86c6-97e3be690281",
    name=origingroupname,
    id,
    todynamic(tags),
    param1 = strcat("origincount:", origincount),
    param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)



Select good health probe endpoints

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  5225bba3-28ec-1e43-8986-7eedfd466d65

Description:

Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently.

Potential Benefits:

Improves traffic routing and uptime
Learn More:
Health Endpoint Monitoring pattern

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use HEAD health probes

Impact:  Medium Category:  Scalability PG Verified:  Verified

APRL GUID:  5783defe-b49e-d947-84f7-d8677593f324

Description:

Health probes in Azure Front Door can use GET or HEAD HTTP methods. Using the HEAD method for health probes is a recommended practice because it reduces the traffic load on your origins, being less resource-intensive.

Potential Benefits:

Reduces traffic load on origins
Learn More:
Supported HTTP methods for health probes

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use geo-filtering in Azure Front Door

Impact:  Medium Category:  Security PG Verified:  Verified

APRL GUID:  b515690d-3bf9-3a49-8d38-188e0fd45896

Description:

Azure Front Door's geo-filtering through WAF enables defining custom access rules by country/region to restrict or allow web app access.

Potential Benefits:

Enhanced regional access control
Learn More:
Geo filter WAF policy - GeoMatch

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development