question

KatareAshish-1107 avatar image
0 Votes"
KatareAshish-1107 asked GitaraniSharmaMSFT-4262 commented

Azure FrontDoor DNS resolution

I am new to Azure and couldnt find the below answer in Microsoft documentation so trying here,

How does Azure Front Door resolve DNS or resolve IP as its Global Edge service. for an example if i have domain name xyz.com exposed through front door and if its being pinged from Europe Vs USA Vs Canada.

I am dealing with some data privacy issues so dont want my Europe traffic to come to USA Front Door and then resolve it back to go to Europe..
any documentation related to this or any insight how does Frontdoor works internally.

Would it matter where FrontDoor is being created first vs what all regions its being routing traffic.

appreciate the time .

azure-front-door
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @KatareAshish-1107 ,

You may refer the below article to understand Azure Frontdoor routing architecture and how it works:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-routing-architecture

Do let me know if you have any follow-up questions after this.

Thanks,
Gita

0 Votes 0 ·

@GitaraniSharmaMSFT-4262 Yes i have gone through with that article but not clear on below points,

  1. How does DNS Client resolve the Forward lookup (hostname to IP address)

  2. Request to ISP during the recursive query - how does this happen while sending the request to different name servers.


Questions are to clarify our data privacy issues and keeping one Global Azure Front Door which would route the traffic to Multiple Regions (Europe, USA, Canada).

if i have custom name like abc.com which is mapped to azure front door https://abc..azurefd.net internally.
when a client from Europe call the endpoint abc.com then how does Azure make sure the call goes to Azure front door service in Europe only and it wont go to USA for the initial DNS look up, getting the IP address etc.

I know its a Global service and its one of the basic use case but trying to understand how does it work so we can be sure that we wont breach any data privacy issues


0 Votes 0 ·

Hello @KatareAshish-1107 ,

I am not sure if such information is shared publicly since it involves the internal architecture but let me reach out to the Frontdoor PG team and get some clarity around it. Will keep you posted on the updates.

Thanks,
Gita

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @KatareAshish-1107 ,

I'm unable to share the internal architecture or workflow of Azure Frontdoor, however, below is the update I received from AFD PG team:

Resolution for both DNS and HTTP (the portions in Microsoft’s control of both of those) route via Anycast which means they will resolve to the closest Microsoft Edge location as mentioned here. While this creates a very high likelihood at geo-regional traffic (e.g. Europe will resolve to European DNS and CDN servers), there is no strict guarantee around this.

If you need 100% strict geo-isolation then it cannot be guaranteed by Front Door (or any other CDN for that matter) today. We have a roadmap feature to support this but it is not short term.

One workaround that I can think of at the moment would be to use Azure Traffic Manager (Since you can use Geographic traffic routing method in Traffic manager to comply with local data sovereignty mandates which require that users from a specific region be served only by endpoints in that region) and Azure Front Door parallelly to serve all traffic for your application as described in the below article:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite#building-with-azures-application-delivery-suite

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you @GitaraniSharmaMSFT-4262

one more clarification - Azure Front Door doesn’t support mutual TLS as per below,

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-i-use-client-mutual-authentication-with-azure-front-door-

how do i terminate SSL if i am using Azure Frontdoor itself so my subsequent layers save encryption/decryption time.
Any suggestions why dealing with SSL at frontdoor itself.

0 Votes 0 ·

Hello @KatareAshish-1107 ,

Yes, Azure Front Door doesn’t support mutual TLS auth as of today but it is in the roadmap. You can upvote the feature request in the below forum:
https://feedback.azure.com/forums/217313-networking/suggestions/37546810-frontdooor-tls-mutual-authentication-x-arr-cli

However, Azure Front Door supports TLS/SSL offload and end to end TLS, Since the connections to the backend happen over the public IP, it's recommended that you configure your Front Door to use HTTPS as the forwarding protocol.
You can configure SSL offload by following the below article:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https

Thanks,
Gita Sharma

1 Vote 1 ·

@GitaraniSharmaMSFT-4262
thank you for your response.
we have APIM instances as a backend to this Azure FrontDoor through routing rules in frontdoor. is that okay if we configure the mutual authentication in APIM layer ?

0 Votes 0 ·

Hello @KatareAshish-1107 ,

Since Azure Front Door doesn't support Mutual Auth at the moment, keeping it in the data path with mutual auth in APIM layer will be a limiting factor. So I would advise against it.
In case you are not using Azure Front Door and are opting for Application gateway, then we do have a public preview of mutual auth feature available for app gateway to try. However, that may lead to another limitation for you depending upon your traffic & feature requirements.

Thanks,
Gita

0 Votes 0 ·

@GitaraniSharmaMSFT-4262
we are using Azure frontdoor something like below,

client -->frontdoor -->APIM -->Application gateway -->backend services.

where do you suggest us to implement mutual SSL and why ? i am thinking of offloading SSL in APIM layer

0 Votes 0 ·

@KatareAshish-1107 , is your question - where to implement SSL offloading or Mutual SSL auth?

Like I mentioned before, mutual SSL/TLS authentication feature is not available in Azure Front Door.

If you are referring to SSL offloading, you can do so at both Azure FrontDoor & Azure Application gateway depending upon your requirement. I'm not much familiar with APIM, so would not be able to provide much insights on it.


0 Votes 0 ·