Skip to content

azurermFrontdoor

!> IMPORTANT This deploys an Azure Front Door (classic) resource which has been deprecated and will receive security updates only. Please migrate your existing Azure Front Door (classic) deployments to the new Azure Front Door (standard/premium) resources. For your convenience, the service team has exposed a frontDoorClassic to frontDoorStandard/premium migration tool to allow you to migrate your existing frontDoorClassic instances to the new frontDoorStandard/premium product tiers.

Manages an Azure Front Door (classic) instance.

Azure Front Door Service is Microsoft's highly available and scalable web application acceleration platform and global HTTP(S) load balancer. It provides built-in DDoS protection and application layer security and caching. Front Door enables you to build applications that maximize and automate high-availability and performance for your end-users. Use Front Door with Azure services including Web/Mobile Apps, Cloud Services and Virtual Machines – or combine it with on-premises services for hybrid deployments and smooth cloud migration.

Below are some of the key scenarios that Azure Front Door Service addresses:

  • Use Front Door to improve application scale and availability with instant multi-region failover
  • Use Front Door to improve application performance with SSL offload and routing requests to the fastest available application backend.
  • Use Front Door for application layer security and DDoS protection for your application.

!> Be Aware: Microsoft rolled out a breaking change on Friday 9th April 2021 which may cause issues with the CDN/FrontDoor resources. More information is available in this GitHub issue - however unfortunately this may necessitate a breaking change to the CDN and Front Door resources, more information will be posted in the GitHub issue as the necessary changes are identified.

!> BREAKING CHANGE: The customHttpsProvisioningEnabled field and the customHttpsConfiguration block have been removed from the azurermFrontdoor resource in the v2580 provider due to changes made by the service team. If you wish to enable the custom HTTPS configuration functionality within your azurermFrontdoor resource moving forward you will need to define a separate azurermFrontdoorCustomHttpsConfiguration block in your configuration file.

!> BREAKING CHANGE: With the release of the v2580 provider, if you run the apply command against an existing Front Door resource it will not apply the detected changes. Instead it will persist the explicitResourceOrder mapping structure to the state file. Once this operation has completed the resource will resume functioning normally.This change in behavior in Terraform is due to an issue where the underlying service teams API is now returning the response JSON out of order from the way it was sent to the resource via Terraform causing unexpected discrepancies in the plan after the resource has been provisioned. If your pre-existing Front Door instance contains customHttpsConfiguration blocks there are additional steps that will need to be completed to successfully migrate your Front Door onto the v2580 provider which can be found in this guide.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "FrontDoorExampleResourceGroup",
  }
);
const azurermFrontdoorExample = new azurerm.frontdoor.Frontdoor(
  this,
  "example_1",
  {
    backend_pool: [
      {
        backend: [
          {
            address: "www.bing.com",
            host_header: "www.bing.com",
            http_port: 80,
            https_port: 443,
          },
        ],
        health_probe_name: "exampleHealthProbeSetting1",
        load_balancing_name: "exampleLoadBalancingSettings1",
        name: "exampleBackendBing",
      },
    ],
    backend_pool_health_probe: [
      {
        name: "exampleHealthProbeSetting1",
      },
    ],
    backend_pool_load_balancing: [
      {
        name: "exampleLoadBalancingSettings1",
      },
    ],
    frontend_endpoint: [
      {
        host_name: "example-FrontDoor.azurefd.net",
        name: "exampleFrontendEndpoint1",
      },
    ],
    name: "example-FrontDoor",
    resource_group_name: azurermResourceGroupExample.name,
    routing_rule: [
      {
        accepted_protocols: ["Http", "Https"],
        forwarding_configuration: [
          {
            backend_pool_name: "exampleBackendBing",
            forwarding_protocol: "MatchRequest",
          },
        ],
        frontend_endpoints: ["exampleFrontendEndpoint1"],
        name: "exampleRoutingRule1",
        patterns_to_match: ["/*"],
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFrontdoorExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the Front Door service. Must be globally unique. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) Specifies the name of the Resource Group in which the Front Door service should exist. Changing this forces a new resource to be created.

  • backendPool - (Required) A backendPool block as defined below.

-> Azure by default allows specifying up to 50 Backend Pools - but this quota can be increased via Microsoft Support.

  • backendPoolHealthProbe - (Required) A backendPoolHealthProbe block as defined below.

  • backendPoolLoadBalancing - (Required) A backendPoolLoadBalancing block as defined below.

  • loadBalancerEnabled - (Optional) Should the Front Door Load Balancer be Enabled? Defaults to true.

  • friendlyName - (Optional) A friendly name for the Front Door service.

  • backendPoolSettings - (Optional) A backendPoolSettings block as defined below.

  • frontendEndpoint - (Required) A frontendEndpoint block as defined below.

  • routingRule - (Required) A routingRule block as defined below.

  • tags - (Optional) A mapping of tags to assign to the resource.

The backend block supports the following:

  • enabled - (Optional) Specifies if the backend is enabled or not. Valid options are true or false. Defaults to true.

  • address - (Required) Location of the backend (IP address or FQDN)

  • hostHeader - (Required) The value to use as the host header sent to the backend.

  • httpPort - (Required) The HTTP TCP port number. Possible values are between 1 - 65535.

  • httpsPort - (Required) The HTTPS TCP port number. Possible values are between 1 - 65535.

  • priority - (Optional) Priority to use for load balancing. Higher priorities will not be used for load balancing if any lower priority backend is healthy. Defaults to 1.

  • weight - (Optional) Weight of this endpoint for load balancing purposes. Defaults to 50.

The backendPool block supports the following:

  • name - (Required) Specifies the name of the Backend Pool.

  • backend - (Required) A backend block as defined below.

  • loadBalancingName - (Required) Specifies the name of the backendPoolLoadBalancing block within this resource to use for this backendPool.

  • healthProbeName - (Required) Specifies the name of the backendPoolHealthProbe block within this resource to use for this backendPool.

The backendPoolSettings block supports the following:

  • backendPoolsSendReceiveTimeoutSeconds - (Optional) Specifies the send and receive timeout on forwarding request to the backend. When the timeout is reached, the request fails and returns. Possible values are between 0 - 240. Defaults to 60.

  • enforceBackendPoolsCertificateNameCheck - (Required) Enforce certificate name check on https requests to all backend pools, this setting will have no effect on http requests. Permitted values are true or false.

-> NOTE: backendPoolsSendReceiveTimeoutSeconds and enforceBackendPoolsCertificateNameCheck apply to all backend pools.

The frontendEndpoint block supports the following:

  • name - (Required) Specifies the name of the frontendEndpoint.

  • hostName - (Required) Specifies the host name of the frontendEndpoint. Must be a domain name. In order to use a name.azurefd.net domain, the name value must match the Front Door name.

  • sessionAffinityEnabled - (Optional) Whether to allow session affinity on this host. Valid options are true or false Defaults to false.

  • sessionAffinityTtlSeconds - (Optional) The TTL to use in seconds for session affinity, if applicable. Defaults to 0.

  • webApplicationFirewallPolicyLinkId - (Optional) Defines the Web Application Firewall policy id for each host.

The backendPoolHealthProbe block supports the following:

  • name - (Required) Specifies the name of the Health Probe.

  • enabled - (Optional) Is this health probe enabled? Defaults to true.

  • path - (Optional) The path to use for the Health Probe. Default is /.

  • protocol - (Optional) Protocol scheme to use for the Health Probe. Possible values are http and https. Defaults to http.

  • probeMethod - (Optional) Specifies HTTP method the health probe uses when querying the backend pool instances. Possible values include: get and head. Defaults to get.

-> NOTE: Use the head method if you do not need to check the response body of your health probe.

  • intervalInSeconds - (Optional) The number of seconds between each Health Probe. Defaults to 120.

The backendPoolLoadBalancing block supports the following:

  • name - (Required) Specifies the name of the Load Balancer.

  • sampleSize - (Optional) The number of samples to consider for load balancing decisions. Defaults to 4.

  • successfulSamplesRequired - (Optional) The number of samples within the sample period that must succeed. Defaults to 2.

  • additionalLatencyMilliseconds - (Optional) The additional latency in milliseconds for probes to fall into the lowest latency bucket. Defaults to 0.

The routingRule block supports the following:

  • name - (Required) Specifies the name of the Routing Rule.

  • frontendEndpoints - (Required) The names of the frontendEndpoint blocks within this resource to associate with this routingRule.

  • acceptedProtocols - (Required) Protocol schemes to match for the Backend Routing Rule. Possible values are http and https.

  • patternsToMatch - (Required) The route patterns for the Backend Routing Rule.

  • enabled - (Optional) enable or disable use of this Backend Routing Rule. Permitted values are true or false. Defaults to true.

  • forwardingConfiguration - (Optional) A forwardingConfiguration block as defined below.

  • redirectConfiguration - (Optional) A redirectConfiguration block as defined below.

The forwardingConfiguration block supports the following:

  • backendPoolName - (Required) Specifies the name of the Backend Pool to forward the incoming traffic to.

  • cacheEnabled - (Optional) Specifies whether to Enable caching or not. Valid options are true or false. Defaults to false.

  • cacheUseDynamicCompression - (Optional) Whether to use dynamic compression when caching. Valid options are true or false. Defaults to false.

  • cacheQueryParameterStripDirective - (Optional) Defines cache behaviour in relation to query string parameters. Valid options are stripAll, stripAllExcept, stripOnly or stripNone. Defaults to stripAll.

  • cacheQueryParameters - (Optional) Specify query parameters (array). Works only in combination with cacheQueryParameterStripDirective set to stripAllExcept or stripOnly.

  • cacheDuration - (Optional) Specify the minimum caching duration (in ISO8601 notation e.g. p1Dt2H for 1 day and 2 hours). Needs to be greater than 0 and smaller than 365 days. cacheDuration works only in combination with cacheEnabled set to true.

  • customForwardingPath - (Optional) Path to use when constructing the request to forward to the backend. This functions as a URL Rewrite. Default behaviour preserves the URL path.

  • forwardingProtocol - (Optional) Protocol to use when redirecting. Valid options are httpOnly, httpsOnly, or matchRequest. Defaults to httpsOnly.

The redirectConfiguration block supports the following:

  • customHost - (Optional) Set this to change the URL for the redirection.

  • redirectProtocol - (Required) Protocol to use when redirecting. Valid options are httpOnly, httpsOnly, or matchRequest.

  • redirectType - (Required) Status code for the redirect. Valida options are moved, found, temporaryRedirect, permanentRedirect.

  • customFragment - (Optional) The destination fragment in the portion of URL after '#'. Set this to add a fragment to the redirect URL.

  • customPath - (Optional) The path to retain as per the incoming request, or update in the URL for the redirection.

  • customQueryString - (Optional) Replace any existing query string from the incoming request URL.

Attributes Reference

-> NOTE: UPCOMING BREAKING CHANGE: In order to address the ordering issue we have changed the design on how to retrieve existing sub resources such as backend pool health probes, backend pool loadbalancer settings, backend pools, frontend endpoints and routing rules. Existing design will be deprecated and will result in an incorrect configuration. Please refer to the updated documentation below for more information.

  • backendPoolHealthProbes - A map/dictionary of Backend Pool Health Probe Names (key) to the Backend Pool Health Probe ID (value)
  • backendPoolLoadBalancingSettings - A map/dictionary of Backend Pool Load Balancing Setting Names (key) to the Backend Pool Load Balancing Setting ID (value)
  • backendPools - A map/dictionary of Backend Pool Names (key) to the Backend Pool ID (value)
  • frontendEndpoints - A map/dictionary of Frontend Endpoint Names (key) to the Frontend Endpoint ID (value)
  • routingRules - A map/dictionary of Routing Rule Names (key) to the Routing Rule ID (value)

backend exports the following:

  • id - The ID of the Azure Front Door Backend.

backendPool exports the following:

  • id - The ID of the Azure Front Door Backend Pool.

backendPoolHealthProbe exports the following:

  • id - The ID of the Azure Front Door Backend Health Probe.

backendPoolLoadBalancing exports the following:

  • id - The ID of the Azure Front Door Backend Load Balancer.

frontendEndpoint exports the following:

  • id - The ID of the Azure Front Door Frontend Endpoint.

routingRule exports the following:

  • id - The ID of the Azure Front Door Backend Routing Rule.

The following attributes are exported:

  • cname - The host that each frontendEndpoint must CNAME to.

  • headerFrontdoorId - The unique ID of the Front Door which is embedded into the incoming headers xAzureFdid attribute and maybe used to filter traffic sent by the Front Door to your backend.

  • id - The ID of the FrontDoor.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 6 hours) Used when creating the FrontDoor.
  • update - (Defaults to 6 hours) Used when updating the FrontDoor.
  • read - (Defaults to 5 minutes) Used when retrieving the FrontDoor.
  • delete - (Defaults to 6 hours) Used when deleting the FrontDoor.

Import

Front Doors can be imported using the resourceId, e.g.

terraform import azurerm_frontdoor.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/frontDoors/frontdoor1