Azure Front Door

Updated 14/04/2026

“Azure Front Door is a modern cloud content delivery network (CDN) service that delivers high performance, scalability, and secure user experiences for your content and applications.” - https://azure.microsoft.com/en-us/products/frontdoor

This post captures the Terraform setup I am using for Azure Front Door (Standard) in front of an Azure Container App, with custom domain + managed TLS.

Overview

The goal is to expose the app on demo.it.com through Front Door and force HTTPS everywhere:

• Front Door profile SKU: Standard_AzureFrontDoor
• Origin: Container App ingress FQDN
• Custom domain TLS: ManagedCertificate (minimum TLS12)
• Routing: /* with HttpsOnly forwarding and HTTP -> HTTPS redirect

Reference Terraform: https://github.com/carlpaton/deploying-dotnet-azure/blob/main/iac_example/front-door.tf

Architecture

Internet
	|
	v
demo.it.com (CNAME -> Front Door endpoint)
	|
	v
Azure Front Door (Standard_AzureFrontDoor)
  |- Profile:      demo-afd-<group>-<env>
  |- Endpoint:     demo-afd-<group>-<env>.azurefd.net
  |- Custom Domain demo.it.com (ManagedCertificate TLS12)
  |- Route:        /*
  \- Origin Group demo-afd-<group>-<env>
		\- Origin:  Azure Container App ingress FQDN

Terraform Resources

The configuration creates:

• azurerm_cdn_frontdoor_profile (demo-afd)
• azurerm_cdn_frontdoor_endpoint (demo-afd-ep)
• azurerm_cdn_frontdoor_origin_group (demo-afd-og)
• azurerm_cdn_frontdoor_origin (demo-afd-origin)
• azurerm_cdn_frontdoor_custom_domain (demo-afd-cd)
• azurerm_cdn_frontdoor_route (demo-afd-route)
• azurerm_cdn_frontdoor_custom_domain_association (demo-afd-cda)
• Outputs:
  • afd_endpoint_hostname
  • afd_custom_domain_validation_token

Key Configuration Details

Front Door Profile

• sku_name = "Standard_AzureFrontDoor"
• response_timeout_seconds = 120

Origin Group

• session_affinity_enabled = false
• restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10

Health probe:

• interval_in_seconds = 100
• path = "/"
• protocol = "Https"
• request_type = "HEAD"

Load balancing:

• additional_latency_in_milliseconds = 0
• sample_size = 4
• successful_samples_required = 3

Origin (Container App)

• host_name = azurerm_container_app.demo-aca.ingress[0].fqdn
• origin_host_header = azurerm_container_app.demo-aca.ingress[0].fqdn
• certificate_name_check_enabled = true
• http_port = 80
• https_port = 443
• priority = 1
• weight = 1000

Custom Domain + TLS

• host_name = "demo.it.com"
• certificate_type = "ManagedCertificate"
• minimum_tls_version = "TLS12"

Route

• forwarding_protocol = "HttpsOnly"
• https_redirect_enabled = true
• patterns_to_match = ["/*"]
• supported_protocols = ["Http", "Https"]
• link_to_default_domain = false

Prerequisites

1. The Container App exists and has external ingress enabled.
2. You can manage public DNS for the domain (for me: GoDaddy).
3. Terraform is authenticated to Azure and targeting the correct subscription.

Deploy

cd iac_example
terraform init
terraform plan -out=tfplan
terraform apply tfplan

After apply:

1. Front Door endpoint is created.
2. Front Door returns the custom-domain validation token.
3. You add DNS records.
4. Managed cert is issued once validation succeeds.

DNS Records (GoDaddy)

Create these records after terraform apply:

Type	Name	Value
TXT	_dnsauth.demo	terraform output -raw afd_custom_domain_validation_token
CNAME	demo	terraform output -raw afd_endpoint_hostname

Get output values:

terraform output -raw afd_endpoint_hostname
terraform output -raw afd_custom_domain_validation_token

DNS Validation Checks

Check authoritative first (source of truth):

nslookup -type=CNAME demo.it.com ns23.domaincontrol.com
nslookup -type=TXT _dnsauth.demo.it.com ns23.domaincontrol.com

Then check public resolver propagation:

nslookup -type=CNAME demo.it.com 1.1.1.1
nslookup -type=TXT _dnsauth.demo.it.com 1.1.1.1

If authoritative looks correct but public resolvers do not, wait for propagation and retry.

Useful References

• https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain
• https://learn.microsoft.com/en-us/azure/frontdoor/origin?pivots=front-door-standard-premium
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin_group
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_route