az afd profile show --profile-name <front-door-profile> --resource-group <resource-group>Front Door route
Front Door route is the Azure Front Door configuration that decides which domain and path patterns send user requests to which origin group. Teams use it to connect edge endpoints and custom domains to backend applications while controlling accepted protocols, forwarding behavior, caching, and rule-set association. In daily Azure work, it shows up when engineers add APIs, split static and dynamic paths, migrate origins, route traffic between regions, or investigate why a request reached the wrong backend.
Source: Microsoft Learn - Azure Front Door routing architecture Reviewed 2026-05-14
- Exam trap
- Treating Front Door route as a simple label instead of checking the live scope, owner, dependencies, and current configuration.
- Production check
- Verify the intended scope, owner tags, enabled state, identity, diagnostics, and linked resources before changing Front Door route.
Article details and learning context
- Aliases
- AFD route, Azure Front Door route, edge route
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-14
- Review level
- top250-pre130-priority
- Article depth
- field-manual-complete
Understand the concept
Why it matters
Front Door route matters because it turns architecture intent into runtime behavior. When teams misunderstand it, they may change the wrong scope, grant access too broadly, overload capacity, hide a data exposure path, or chase an application bug that is really platform configuration. For this term, that means a route is often the exact place where traffic is misdirected, cached unexpectedly, sent to the wrong region, or blocked by a rule set during an incident. It affects security, reliability, operations, cost, and performance because one choice can change how users, identities, traffic, data, deployments, or events behave. Review owner, scope, evidence, dependencies, and rollback before production change.
Official wording and source
An Azure Front Door configuration that maps accepted domains, protocols, and URL path patterns to an origin group and optional rule set.
Technical context
Technically, Front Door route is configured through Front Door endpoints, custom domains, route resources, path patterns, protocol choices, forwarding settings, origin-group references, cache configuration, and optional rule-set links. Important settings include accepted protocols, HTTPS redirect behavior, patterns to match, origin-group name, supported domains, link-to-default-domain setting, forwarding protocol, cache behavior, and enabled state. Operators inspect it with az afd route output, deployment templates, endpoint domain lists, origin-group health, access logs, route-matching diagnostics, Azure Monitor metrics, and recent deployment operations.
Exam context
Compare with
Where it is used
Where you see it
- A route page shows custom domains, path patterns, origin group, forwarding protocol, caching state, enabled status, and attached rule sets for one Front Door endpoint.
- Bicep or ARM templates contain route resources under an endpoint, with properties that bind domains, patterns, origin groups, and rule-set references together. Review owner, scope, evidence, dependencies, and rollback before production change.
- Access logs reveal the matched route and backend origin, helping operators explain why a request path succeeded, failed, redirected, or reached an unexpected region. Review owner, scope, evidence, dependencies, and rollback before production change.
Common situations
- Map domains and path patterns to the correct Front Door origin group for web, API, and static content traffic.
- Split route ownership between applications so checkout, APIs, media, and admin paths can change independently.
- Troubleshoot unexpected origin selection, cache behavior, protocol forwarding, or rule-set processing during incidents.
- Review route definitions before cutovers, migrations, or global launches that change customer request flow.
- Document route-to-origin evidence, owner tags, rollback steps, and synthetic probes for production change approvals.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Front Door route in action for retail API migration Scenario, objectives, solution, measured impact, and takeaway.
Fabrikam Market, a retail commerce company, needed to move product APIs to a new regional origin while keeping static assets and checkout traffic stable.
- Route /api paths to the new origin group
- Keep checkout paths unchanged
- Validate behavior before DNS changes
- Reduce rollback time during cutover
The team used Front Door route to map specific domains and path patterns to the correct origin groups. Engineers created one route for /api/* that forwarded to the new API origin group and left checkout and static paths on existing routes. They attached a rule set only to the API route for header normalization. CLI output captured route names, endpoint scope, accepted protocols, path patterns, forwarding protocol, and origin-group bindings. Synthetic tests confirmed the matched route before production traffic was gradually moved through DNS. Architects documented ownership, rollback steps, monitoring signals, and approval evidence so support staff could operate the design without guessing during incidents. The rollout included a lower-environment test, a named business owner, and a short runbook explaining what to verify before and after release.
- API migration completed without checkout impact
- Rollback required one route disable action
- Synthetic probes caught one path typo before release
- Average support triage time fell by 35 percent
A Front Door route is the practical control point for sending the right user request to the right backend.
Scenario 02 Front Door route in action for media subscription portal Scenario, objectives, solution, measured impact, and takeaway.
StreamVista Media, a subscription video company, needed separate routing for account pages, image assets, and regional streaming metadata APIs.
- Separate dynamic and static traffic
- Improve cache behavior for images
- Keep account traffic on secure origins
- Expose route evidence during incidents
The engineers used Front Door route definitions to bind each custom domain and path pattern to the right origin group. Image routes enabled caching and compression, account routes forwarded directly to secure app origins, and metadata API routes used a separate origin group with health probes. Route configuration was stored in templates and reviewed beside access logs. During an incident, operators compared the matched route, origin health, and response headers before changing settings, which avoided unnecessary application redeployments. Architects documented ownership, rollback steps, monitoring signals, and approval evidence so support staff could operate the design without guessing during incidents. The rollout included a lower-environment test, a named business owner, and a short runbook explaining what to verify before and after release. Security, reliability, cost, and performance evidence were captured together so reviewers could see the operational tradeoffs rather than only the deployment result.
- Image origin calls dropped by 52 percent
- Account pages kept strict forwarding behavior
- Route evidence shortened incident review by 40 percent
- No customer-facing DNS changes were needed
Routes let teams separate traffic behavior at the edge without forcing every change into application code.
Scenario 03 Front Door route in action for manufacturing partner portal Scenario, objectives, solution, measured impact, and takeaway.
Alpine Components, a manufacturing supplier, needed to expose partner portal traffic while testing a new backend for only selected URL paths.
- Route test paths to a new backend
- Protect normal partner traffic
- Collect logs for route matching
- Make rollback simple for support
The platform team used Front Door route as the safe boundary for the backend test. A new origin group pointed to the test service, and a route matched only /beta/partner/* on the partner custom domain. Existing production routes stayed unchanged. The team attached diagnostic settings and required CLI evidence showing the route, path pattern, enabled state, and origin group before the pilot. Support staff had a runbook to disable the beta route if errors crossed the threshold. Architects documented ownership, rollback steps, monitoring signals, and approval evidence so support staff could operate the design without guessing during incidents. The rollout included a lower-environment test, a named business owner, and a short runbook explaining what to verify before and after release. Security, reliability, cost, and performance evidence were captured together so reviewers could see the operational tradeoffs rather than only the deployment result.
- Pilot traffic reached only the test backend
- Production partner traffic stayed unaffected
- Rollback was tested in less than two minutes
- Route logs proved the blast radius during review
A route makes targeted backend changes safer because traffic matching is explicit and reviewable.
Azure CLI
CLI checks make Front Door route review repeatable because they capture scoped evidence for configuration, ownership, dependencies, health, and change impact before operators modify production.
Useful for
- List or show the Azure resources related to Front Door route before selecting a target for deeper review.
- Capture read-only evidence for Front Door route during release approval, incident response, access review, or cost investigation.
- Compare configuration, metrics, logs, and dependent resources for Front Door route across environments before approving a mutating command.
Before you run a command
- Confirm tenant, subscription, resource group, application, profile, account, endpoint, or deployment scope before trusting command output.
- Run list and show commands first, then save evidence before create, update, restart, delete, purge, scale, or access changes.
- Check whether the command affects customer traffic, credentials, cached content, model behavior, data access, cost, or compliance evidence.
What the output tells you
- Names, resource IDs, locations, SKUs, enabled states, and parent relationships show whether you are inspecting the intended target.
- Settings, identities, routes, deployments, indexes, endpoints, origins, or app settings explain how requests and workloads behave today.
- Timestamps, metrics, usage, health state, and logs help separate Azure configuration issues from application or downstream failures.
Mapped commands
Front Door route operational checks
directaz afd route list --endpoint-name <endpoint-name> --profile-name <front-door-profile> --resource-group <resource-group>az afd route show --endpoint-name <endpoint-name> --profile-name <front-door-profile> --resource-group <resource-group> --route-name <route-name>az afd route update --endpoint-name <endpoint-name> --profile-name <front-door-profile> --resource-group <resource-group> --route-name <route-name> --enabled-state EnabledArchitecture context
Technically, Front Door route is configured through Front Door endpoints, custom domains, route resources, path patterns, protocol choices, forwarding settings, origin-group references, cache configuration, and optional rule-set links. Important settings include accepted protocols, HTTPS redirect behavior, patterns to match, origin-group name, supported domains, link-to-default-domain setting, forwarding protocol, cache behavior, and enabled state. Operators inspect it with az afd route output, deployment templates, endpoint domain lists, origin-group health, access logs, route-matching diagnostics, Azure Monitor metrics, and recent deployment operations.
- Security
- Security for Front Door route starts with custom-domain ownership, accepted protocols, HTTPS redirect, host-header forwarding, rule-set actions, WAF association through the domain path, and origin exposure created by routing choices. Review who can create, update, delete, execute, read logs, approve dependencies, and manage credentials or identities. Prefer Microsoft Entra ID, managed identity, private networking, least privilege, and audited automation where the service supports them. Keep secrets out of code and avoid broad public exposure unless there is a documented exception. Capture role assignments, diagnostic settings, policy decisions, Activity Log entries, and owner approvals so access and data handling are intentional and reviewable.
- Cost
- Cost for Front Door route is driven by request volume per route, cache hit ratio, data transfer to origins, diagnostic log volume, WAF inspection, duplicate route patterns, and unnecessary backend calls from poor cache design. The expensive mistake is not only Azure consumption; it can also be duplicate experiments, emergency support, overprovisioned capacity, unnecessary data transfer, or cleanup after weak design evidence. Review whether the workload truly needs the selected tier, retention, diagnostics, network path, scale rule, cache behavior, or automation pattern. Use tags, budgets, alerts, and cleanup reviews so teams can explain why the design exists and remove stale resources safely.
- Reliability
- Reliability for Front Door route depends on route precedence, path-pattern accuracy, origin-group health, enabled state, cache settings, regional failover, propagation delay, and how route changes behave during deployment windows. A resource can be present and still fail the business workflow if routing, identity, quota, storage, code, cache, scale, or downstream health is wrong. Test failure modes, retries, deployment behavior, disabled states, rollback steps, and maintenance windows before relying on the design. During incidents, compare platform metrics, logs, deployment history, and application traces from the same time window before changing production. The goal is a recoverable configuration support teams can verify quickly.
- Performance
- Performance for Front Door route depends on path matching, edge caching, forwarding protocol, backend latency, origin-group selection, compression, TLS redirection, WAF processing, and how route changes propagate globally. Measure platform metrics and application-side completion times because a fast control-plane response does not prove users received the right result. Test with realistic regions, data sizes, concurrency, authentication paths, route choices, cache state, package size, and downstream limits. When performance regresses, compare configuration changes, resource limits, client logs, diagnostic data, and workload timing before adding capacity or blaming one service. Tune with evidence from the exact environment and traffic pattern. Review owner, scope, evidence, dependencies, and rollback before production change.
- Operations
- Operations for Front Door route require route inventories, path ownership, dependency maps, change approvals, route-to-origin evidence, synthetic probes, access-log review, and rollback procedures for incorrect traffic matching. Before a change, capture read-only CLI output, portal evidence when useful, owner tags, expected behavior, and rollback steps. During incidents, avoid changing several settings at once; compare metrics, logs, deployment operations, identity evidence, network state, and downstream health first. Keep runbooks clear enough for support teams to verify current behavior quickly. Good operations make the term observable, reviewable, and recoverable during releases, audits, and incidents. Review owner, scope, evidence, dependencies, and rollback before production change.
Common mistakes
- Treating Front Door route as a simple label instead of checking the live scope, owner, dependencies, and current configuration.
- Running a mutating command for Front Door route in the wrong subscription, resource group, app, profile, route, or account context.
- Assuming successful deployment proves Front Door route works without checking logs, metrics, user behavior, and rollback evidence.