With the newly released Azure Front door I was eager to see how it could compare to Cloudflare in terms of performance and functionality. I’ve previously moved my blog to Cloudflare https://msandbu.org/moved-my-blog-to-cloudflare/ which means that they are handling all the frontend traffic to blog. Cloudflare has multiple Points-of-presense around the world which allows for incoming traffic to my website to reach using the closest available PoP. Now Cloudflare has a pretty extensive list of built-in functionality and also provides DNS functionality (one of the fastest actually)
NOTE: That regardless if Cloudflare or Front door is in front of your service it is still just another public endpoint and your origin backend should be locked down to only allow traffic from the solution that you place in front.
Cloudflare has over 180 PoP’s around the world. I can see that I’m connected to the closest PoP by going to my website and opening the URL http://msandbu.org/cdn-cgi/trace the COLO = ARN (Means Stockholm)
Which is the closest PoP, you can look it up here on the location website. https://www.cloudflarestatus.com/?_ga=2.20437688.1412901568.1561974437-d869f492a9d768ea72354dbde0969a23 a bit wierd seeing that I’m closer to the PoP in Oslo, but that might be how routing at my ISP is configured.
Now Microsoft has also released a simliar solution called Azure Front door which provides much of the same functionality. Front Door works at Layer 7 or HTTP/HTTPS layer and uses anycast protocol with split TCP and Microsoft’s global network for improving global connectivity. Azure Front Door Service supports dynamic site acceleration (DSA), SSL offloading and end to end SSL, Web Application Firewall, cookie-based session affinity, url path-based routing, free certificates and multiple domain management. Front door can also benefit from all the different PoP’s that Microsoft has as part of their core network, you can see the list of PoP’s here –> https://docs.microsoft.com/azure/cdn/cdn-pop-locations
So your routing method selection in the configuration, you can ensure that Front Door is routing your client requests to the fastest and most available application backend. An application backend in Front Door is any Internet-facing service hosted inside or outside of Azure (NOTE: Is does not support internal services so virtual machines or ASE needs to be public available for Front Door to reach it). Now Cloudflare does not have any direct integration with Azure, but can support and endpoint as long as it is public.
So what about Traffic Manager compared to Front Door?
Traffic Manager is a DNS based proximity load balancing solution, and since it works at the DNS level it can also work for other protocols, Front door is only for Web traffic and not for other TCP/UDP based protocols.
What about Application Gateway and Load Balancer?
Azure Load Balancer provides load balancing to a service based upon simple L4 rules TCP/Port/Protocol which is bound to a single region and do not provide the same CDN capabilities to provide low latecy connections to backend. You can call it a blunt instrument to provide load balanced services. Application Gateway provides Layer 7 load balancing for web services, but again does not provide the same CDN capabilities as Front Door and can also reside inside a virtual network. Both Application Gateway and Load Balancing can be used in conjunction with Front Door or CloudFlare for geo based load balancing of traffic. Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.
Monitoring?
When it comes to monitoring, Microsoft has very little monitoring options besides the metrics that are available as part of the solution and integration with Azure Log Analytics for logging of connections. You can see the metrics and logs that are stored here –> https://docs.microsoft.com/en-us/azure/frontdoor/front-door-diagnostics it is however not possible to see how much data is cached for instance or which protocols are used to the connection. You can however see what kind of TLS protocol that is used as part of the connection.
NOTE: If you want to purge the cached data from Front door you need to use the az cli “az network front-door purge-endpoint –resource-group [rgname] –name [frontdoorname] –content-paths “/”” or this button here
Cloudflare has a bit better monitoring solution and overview on what’s actually going on. To give insight on the traffic, requests, cached data, contry connections, blocked connections and so on.
No one thing that both of them are missing, is a good way to monitor availability on the site itself and provide notification if the main site is down. So in order to have the end-to-end monitoring you would need to use some form of third-party to ensure availability of your website.
Lookdown and security
Azure Front door comes with the option to do Geo-lockdown, using Azure CLI –> https://docs.microsoft.com/en-us/azure/frontdoor/front-door-geo-filtering and as default uses HTTP/2 for all communication (if supported on the client) but Front door does not support HSTS or TLS 1.3 and you cannot define a custom SSL cipher list.
Now Azure Front door can also be configured with WAF (Web Application Firewall) with a predefined rule set or you can define custom rules (https://docs.microsoft.com/en-us/azure/frontdoor/waf-front-door-custom-rules) which you again can monitor using Log Analytics
AzureDiagnostics | where ResourceType == “FRONTDOORS” and Category == “FrontdoorWebApplicationFirewallLog” | where action_s == “Block”
Cloudflare has similiar functionality with their own WAF features, custom rules, but with some more advanced options such as JS challenge or Capctha, while Front door has Block, log or redirect action. Cloudflare also provide unlimited DDoS Protection as well. Front Door platform itself is protected by Azure DDoS Protection Basic. For further protection, Azure DDoS Protection Standard needs to be enabled at your VNETs which has an high pretty high cost.
NOTE: To lock down access to the backend if using Azure Front door you just need to define acces rules for the following IP addresses.
- Front Door’s IPv4 backend IP space:
147.243.0.0/16 - Front Door’s IPv6 backend IP space:
2a01:111:2050::/44 - Azure’s basic infrastructure services through virtualized host IP addresses:
168.63.129.16and169.254.169.254
What About Automation?
Now since Front door is a Azure Service is comes supported from Azure Resource Manager, however Cloudflare also has extensive API’s and does also have an Terraform Module –> https://www.terraform.io/docs/providers/cloudflare/index.html which allows for automating the setup.
Pricing?
Looking into how Front door is priced it is quite complex rule set. Where the charge for outbound data traffic, routing, inbound and in addition comes the WAF pricing.
As an example, if we have a site which generated site which generated 10 TB outbound traffic and 1 TB inbound traffic. It would cost us 1700$ Outbound + 10$ Inbound + 21.9$ for Routing Rules = 1731$ per month.
Cloudflare doesn’t base their pricing upon bandwidth usage, but more on having different editions and base pricing.
