az afd origin-group list --resource-group <resource-group> --profile-name <front-door-profile> --output tableFront Door origin group
A Front Door origin group is a logical grouping of origins that receives similar traffic and controls health probing and load balancing behavior.
Source: Microsoft Learn - Origins and origin groups in Azure Front Door Reviewed 2026-05-14
- Exam trap
- Treating Front Door origin group as a simple label instead of checking the live scope, owner, dependencies, and current configuration.
- Production check
- Verify scope, owner tags, enabled state, identity, network path, diagnostics, and linked resources before changing production behavior.
Article details and learning context
- Aliases
- Azure Front Door origin group, AFD origin group, backend pool in Front Door, origin pool
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-14
Understand the concept
In plain English
Front Door origin group is a group of backend origins that Azure Front Door uses as the routing target for similar application traffic. Teams use it to define which backends serve a route and how Front Door should balance, prioritize, probe, and fail over between them. In Azure reviews, it matters when someone must approve access, troubleshoot behavior, estimate cost, or explain why the configuration exists. Treat it as a design choice tied to owners, users, evidence, and rollback.
Why it matters
Front Door origin group matters because it changes how teams design, approve, troubleshoot, and explain an Azure workload. If the concept is misunderstood, teams may grant the wrong access, hide an unhealthy dependency, overbuild capacity, miss audit evidence, or create a user-facing failure that looks like an application bug. It affects security, reliability, operations, cost, and performance because one setting can influence who reaches the workload, how traffic behaves, what gets logged, how much capacity is consumed, and how quickly support can recover. A strong definition helps architects and operators ask the practical questions before the change reaches production. Always tie the review to one subscription, environment, owner, and measurable business outcome.
Technical context
Technically, Front Door origin group is understood through origin group membership, health probe configuration, load-balancing settings, priority, weight, additional latency, sample size, successful samples, routes, and origins. Important settings include origin group name, associated route, health probe path, protocol, interval, sample size, successful samples required, additional latency, and origin priorities. Operators inspect it with origin group show output, route binding, origin membership, health probe settings, origin health metrics, access logs, backend logs, and failover test records.
Exam context
Compare with
Where it is used
Where you see it
- A route points to an origin group that contains one or more origins with priority, weight, health probe, and load-balancing settings during review for production evidence.
- During failover tests, logs show traffic moving between origins according to health probe results, priority values, and route configuration during review for production evidence before approval.
- Architecture diagrams describe origin groups when separating regional backends, active-passive recovery paths, maintenance pools, or private-link protected origins during review for production evidence before approval.
Common situations
- Design and review Front Door origin group for a production Azure workload before traffic, data, or model behavior depends on it.
- Troubleshoot Front Door origin group by comparing live configuration, logs, metrics, ownership, and downstream service health.
- Document Front Door origin group in architecture, security, cost, and support runbooks so teams share the same operating language.
- Use Front Door origin group during release planning to confirm prerequisites, access, rollback, monitoring, and customer-impact assumptions.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Front Door origin group in action for payment processing Scenario, objectives, solution, measured impact, and takeaway.
MercuryPay, a payment processing organization, needed to solve a concrete production challenge: a payment status API needed active-passive regional failover without asking clients to change endpoints. Leaders wanted a practical Azure design that support, security, and business owners could understand.
- Keep one client endpoint
- Fail over between regions
- Measure probe behavior
- Limit false failovers
The team used Front Door origin group as the control point for the change. Architects built a Front Door origin group with a primary and secondary regional API origin. The health probe path returned only dependency-aware status, and priority values made the secondary origin passive until failure. Operators tested failover by disabling the primary origin during a maintenance window and watching route behavior, access logs, origin health, and client error rates. Probe interval and successful sample settings were adjusted after the test. Before release, engineers captured read-only evidence, confirmed owners and access, checked diagnostics or local logs, and documented rollback steps. Operations monitored the first production window with metrics that matched the stated objectives, not just generic resource health. The change record linked configuration evidence to measurable outcomes so later audits and incident reviews could reconstruct the decision quickly.
- Client endpoint stayed unchanged
- Failover completed within target
- False failover risk was reduced
- Probe evidence supported approval
An origin group is where Front Door failover design becomes an operational behavior that can be tested.
Scenario 02 Front Door origin group in action for education technology Scenario, objectives, solution, measured impact, and takeaway.
Evergreen Learning, a education technology organization, needed to solve a concrete production challenge: course content was served from two regional web apps, but traffic distribution and maintenance handling were inconsistent. Leaders wanted a practical Azure design that support, security, and business owners could understand.
- Balance regional origins
- Reduce maintenance impact
- Observe origin latency
- Standardize health checks
The team used Front Door origin group as the control point for the change. The cloud team configured one Front Door origin group with both regional origins and documented weight, priority, and health probe settings. Routes for course pages targeted the group, while static assets used cache rules. Before semester launch, operators ran failover and origin-disable tests. Dashboards compared origin latency, health probe results, and route response codes so support could see whether problems came from Front Door routing or backend app health. Before release, engineers captured read-only evidence, confirmed owners and access, checked diagnostics or local logs, and documented rollback steps. Operations monitored the first production window with metrics that matched the stated objectives, not just generic resource health. The change record linked configuration evidence to measurable outcomes so later audits and incident reviews could reconstruct the decision quickly.
- Maintenance impact became predictable
- Origin latency was visible by region
- Health checks used one standard path
- Student-facing errors dropped 27 percent
Origin groups make multi-origin routing easier to support when health probes and ownership are documented.
Scenario 03 Front Door origin group in action for utilities Scenario, objectives, solution, measured impact, and takeaway.
PolarGrid Energy, a utilities organization, needed to solve a concrete production challenge: a customer outage map needed resilient routing across two backends during storms when traffic and backend failures were both likely. Leaders wanted a practical Azure design that support, security, and business owners could understand.
- Survive regional backend failure
- Keep outage map responsive
- Avoid broad DNS changes
- Practice storm runbooks
The team used Front Door origin group as the control point for the change. Engineers created a Front Door origin group containing two outage-map backends in different regions. The probe path checked the map API and a lightweight database dependency. During storm-readiness testing, operators simulated backend failure, watched traffic shift, verified cache behavior for static map assets, and confirmed that the communications team could still update notices. Runbooks included CLI commands to list origin groups, show settings, and review origin membership. Before release, engineers captured read-only evidence, confirmed owners and access, checked diagnostics or local logs, and documented rollback steps. Operations monitored the first production window with metrics that matched the stated objectives, not just generic resource health. The change record linked configuration evidence to measurable outcomes so later audits and incident reviews could reconstruct the decision quickly.
- Outage map stayed available during drill
- Traffic shifted without DNS changes
- Static assets reduced backend load
- Storm runbook steps were validated
Front Door origin groups give critical web workloads a testable path for regional resilience and maintenance.
Azure CLI
CLI checks make Front Door origin group review repeatable because they capture scoped evidence for configuration, ownership, dependencies, health, and change impact before operators modify production.
Useful for
- List or show the Azure or local resources related to Front Door origin group before selecting a target for deeper review.
- Capture read-only evidence for Front Door origin group during release approval, incident response, access review, or cost investigation.
- Compare configuration, metrics, logs, and dependent resources for Front Door origin group across environments before approving a mutating command.
Before you run a command
- Confirm tenant, subscription, resource group, profile, endpoint, project, device, or local model scope before trusting command output.
- Run list and show commands first, then save evidence before create, update, purge, restart, delete, scale, or access changes.
- Check whether the command affects customer traffic, local user devices, cached content, model behavior, cost, or compliance evidence.
What the output tells you
- Names, resource IDs, locations, SKUs, enabled states, and parent relationships show whether you are inspecting the intended target.
- Settings, identities, routes, deployments, endpoints, origins, cache paths, or model metadata explain how requests or workloads behave today.
- Timestamps, metrics, usage, health state, and logs help separate Azure configuration issues from application, device, or downstream failures.
Mapped commands
Front Door origin group operational checks
directaz afd origin-group show --resource-group <resource-group> --profile-name <front-door-profile> --origin-group-name <origin-group-name>az afd origin-group create --resource-group <resource-group> --profile-name <front-door-profile> --origin-group-name <origin-group-name> --probe-path /healthaz afd origin list --resource-group <resource-group> --profile-name <front-door-profile> --origin-group-name <origin-group-name> --output tableaz afd route list --resource-group <resource-group> --profile-name <front-door-profile> --endpoint-name <endpoint-name>Architecture context
Technically, Front Door origin group is understood through origin group membership, health probe configuration, load-balancing settings, priority, weight, additional latency, sample size, successful samples, routes, and origins. Important settings include origin group name, associated route, health probe path, protocol, interval, sample size, successful samples required, additional latency, and origin priorities. Operators inspect it with origin group show output, route binding, origin membership, health probe settings, origin health metrics, access logs, backend logs, and failover test records.
- Security
- Security for Front Door origin group starts with which origins are allowed to receive traffic, whether private link is required, whether direct origin access is blocked, and who can change membership. Review who can create it, change it, delete it, read diagnostics, approve connected resources, and use any credentials or identities involved. Prefer managed identity and Microsoft Entra ID where supported, keep secrets out of code, and scope roles to the smallest useful boundary. Capture Activity Log entries, role assignments, network settings, policy exemptions, and owner approvals before production changes. The goal is to prove that access, exposure, and data handling were intentional rather than accidental side effects of a quick deployment.
- Cost
- Cost for Front Door origin group is driven by duplicate regional origins, probe traffic, cache misses, private link, overbuilt active-active capacity, and incident cost from failed or slow failover. The expensive mistake is not only Azure consumption; it can also be duplicate experiments, broad changes, support time, overprovisioned capacity, or emergency cleanup after weak design evidence. Review whether the workload truly needs the selected tier, retention, diagnostics, network path, cache behavior, or automation pattern. Use tags, budgets, alerts, and recurring cleanup reviews so teams can explain why the current design exists and remove stale resources without breaking dependencies. Always tie the review to one subscription, environment, owner, and measurable business outcome.
- Reliability
- Reliability for Front Door origin group depends on probe path accuracy, active-active or active-passive design, failover timing, regional dependencies, origin maintenance state, and behavior when only one origin exists. A resource can appear healthy while the business workflow fails because a route, dependency, identity, cache, quota, or downstream service is wrong. Test common failure modes, disabled states, retries, rollback paths, and maintenance behavior before relying on the design. Keep runbooks for first-response checks, owner escalation, and safe rollback. During incidents, compare platform metrics, deployment history, configuration changes, and application traces from the same time window before changing production settings. Always tie the review to one subscription, environment, owner, and measurable business outcome.
- Performance
- Performance for Front Door origin group depends on load-balancing settings, additional latency, origin priority and weight, probe interval, backend distance, origin capacity, and cache hit behavior. Measure platform-side metrics and application-side completion metrics because a fast control-plane response does not always mean users received the right result. Test with realistic data sizes, regions, concurrency, authentication paths, route choices, cache state, and downstream limits. When performance regresses, compare configuration changes, resource limits, client logs, diagnostic data, and workload timing before adding capacity or blaming one service. The best tuning decisions come from evidence tied to the exact environment. Always tie the review to one subscription, environment, owner, and measurable business outcome.
- Operations
- Operations for Front Door origin group require probe tuning, route association review, maintenance procedures, origin enablement changes, failover drills, metric alerts, and rollback to stable origin membership. Before a change, capture read-only CLI output, portal evidence when useful, owner tags, expected behavior, and a rollback path. During incidents, avoid changing several settings at once; compare metrics, logs, deployment operations, identity evidence, network state, and downstream health first. Keep release notes clear enough for support teams to verify current behavior quickly. Good operational practice turns the term into something observable, reviewable, and recoverable instead of tribal knowledge. Always tie the review to one subscription, environment, owner, and measurable business outcome.
Common mistakes
- Treating Front Door origin group as a simple label instead of checking the live scope, owner, dependencies, and current configuration.
- Running a mutating command in the wrong subscription, profile, resource group, project, endpoint, origin group, or local device context.
- Assuming a successful command means users saw the correct result without checking logs, metrics, application behavior, and rollback evidence.