Azure ships two L7 load balancers for web applications: Application Gateway and Front Door. Their feature sets overlap, but their scope (regional vs global) and capabilities differ in important ways. This article compares them across features, cost, selection criteria, and combined patterns, giving you the material to pick the right fit for your environment.
| Aspect | Application Gateway (WAF v2) | Front Door (Premium) |
|---|---|---|
| Scope | Regional (single VNet) | Global (300+ Edge Locations) |
| Layer | L7 (HTTP/HTTPS) | L7 + CDN (HTTP/HTTPS) |
| SLA | 99.95% | 99.99% |
| WAF | WAF v2 (OWASP CRS 3.2) | WAF Premium (OWASP CRS 3.2 + Bot Manager) |
| DDoS protection | Configured separately at the VNet level | Absorbed automatically at the edge |
| CDN | None | Yes (static content caching) |
| SSL Termination | Yes | Yes |
| Routing | URL Path / Host / Header based | Same + Geo + Rules Engine |
| Private Link integration | Not needed (in-VNet) | Yes (Premium only) |
| HTTP/3 (QUIC) | Not supported | Supported |
| Monthly cost (baseline) | ~40,000–60,000 JPY | ~35,000 JPY (Standard) / ~330,000 JPY (Premium) |
| Use case | Single-region web apps | Multi-region deployments, global users |
Application Gateway is an L7 load balancer deployed into a VNet inside a single region, distributing traffic to Azure backends (VMs, VMSS, App Service, AKS).
Front Door is an L7 load balancer + CDN service that rides on Microsoft's global Edge Network. It receives user requests at 300+ Edge Locations worldwide and routes them to the nearest backend region.
| Aspect | Standard | Premium | Classic (legacy) |
|---|---|---|---|
| WAF | None (add separately) | WAF Premium integrated | Classic WAF |
| Private Link | Not supported | Supported | Not supported |
| Bot Manager | Not supported | Supported | Not supported |
| Fixed monthly fee | 35 USD | 330 USD | Usage-based only |
| New deployments | Yes | Yes | No (closed since 2024) |
| Recommended for | Simple CDN / global LB | When WAF / Private Link are required | Existing environments only |
For new projects, choose Standard or Premium — Microsoft's current guidance is to avoid Classic. Premium is the only choice if you need WAF; Standard is enough for a simple CDN.
The standard pattern for global multi-region deployments:
This delivers a three-tier architecture — global WAF + in-region L7 routing + backend distribution. The bill (Front Door Premium + Application Gateway WAF v2 × number of regions) reaches several hundred thousand yen per month, but you get enterprise-grade reliability and security.
Azure has four traffic-control services.
| Service | Layer | Scope | WAF | Status |
|---|---|---|---|---|
| Front Door | L7 + CDN | Global | Yes (Premium) | Primary choice |
| Application Gateway | L7 | Regional | Yes (WAF v2) | Primary choice |
| Traffic Manager | DNS (L4/L7 agnostic) | Global | None | Niche use cases |
| Azure CDN | CDN only | Global | Limited | Legacy |
Since Front Door's launch, standalone use cases for Azure CDN and Traffic Manager have shrunk. Traffic Manager still earns its keep when you need DNS-level failover (e.g., multi-cloud failover between Azure and AWS), while Azure CDN survives only in legacy scenarios. The industry trend is clear: pick Front Door for new projects.
What is the biggest difference between Application Gateway and Front Door?
Their scope. Application Gateway is a regional L7 load balancer deployed into a VNet inside a specific region, distributing traffic to backends in that region. Front Door is a global L7 load balancer + CDN that receives traffic at 300+ Microsoft Edge Locations worldwide and routes to the nearest backend region. Application Gateway is built for single-region web apps; Front Door is built for multi-region deployments and global users. The two are not competitors — they are complementary, and a common pattern is to layer them: Front Door at the global edge, Application Gateway for in-region L7 routing to AKS / VMs.
Do both services offer a Web Application Firewall (WAF)?
Yes, both do. Application Gateway WAF v2 and Front Door WAF Premium offer roughly the same feature set (OWASP Core Rule Set CRS 3.2, custom rules, bot protection, geo-filtering, rate limiting). The difference is where the policy applies: Application Gateway WAF runs in-region, while Front Door WAF runs at the global edge. Both integrate with Microsoft Defender for Cloud Apps. Front Door Premium is also integrated with Azure DDoS Protection, absorbing attacks at the edge. The rule of thumb: Front Door + WAF Premium for global DDoS defense, Application Gateway WAF v2 for a consolidated in-region WAF.
What are the differences between Front Door SKUs (Standard / Premium / Classic)?
Front Door has three SKUs sold in parallel: Front Door Classic (the legacy SKU, closed to new deployments since 2024 and only supported for existing tenants), Front Door Standard, and Front Door Premium. Standard and Premium are the redesigned 2022 generation and offer more capability than Classic. Standard: basic global L7 load balancer + CDN, fixed 35 USD/month + usage. Premium: Standard + WAF Premium + Private Link integration + Bot Manager + Managed Identity, fixed 330 USD/month + usage. Microsoft now recommends only Standard or Premium for greenfield projects — avoid Classic. Choose Premium if you need WAF; Standard is enough for a simple CDN.
What are the main features of Application Gateway?
Application Gateway (focused on the WAF v2 SKU) provides: 1) URL Path-based Routing (e.g., /api → API Server, /images → CDN); 2) Host-based Routing (e.g., api.example.com → AKS Service A, shop.example.com → AKS Service B); 3) SSL Termination (Azure decrypts SSL and forwards to backends over HTTP, offloading CPU); 4) SSL Re-encryption (backends receive HTTPS, end-to-end encryption); 5) Session Affinity (cookie-based session stickiness); 6) Auto-scaling (Min 0 – Max 125 instances); 7) Custom Probes (configurable backend health checks); 8) Web Application Firewall v2 (OWASP CRS 3.2); 9) Connection Draining (safe backend removal during deployments); 10) Mutual Authentication (mTLS). SLA is 99.95%.
What are the main features of Front Door?
Front Door Premium provides: 1) Anycast IP + automatic routing to the nearest of 300+ global Edge Locations; 2) Geo-filtering (country-level access control); 3) URL Rewrite / Redirect; 4) Rules Engine (custom request/response manipulation); 5) Caching (CDN function, static content cached at the edge); 6) WAF Premium (OWASP CRS 3.2, Bot Manager, JS Challenge); 7) DDoS Protection integration (Network / IP Protection); 8) Private Link integration (direct delivery to backend Private Endpoints); 9) Origin Health Probe (automatic backend failover); 10) Session Affinity; 11) HTTP/2 and HTTP/3 (QUIC) support. SLA is 99.99%.
What does the combined pattern look like?
The standard pattern for global multi-region deployments: 1) Front Door is the global edge layer + WAF Premium, receiving all traffic; 2) Each region's Application Gateway is registered as a Front Door origin; 3) Application Gateway then routes within its region to AKS / VMs / App Services. This delivers a three-tier architecture — global WAF + in-region L7 routing + backend distribution. The bill (Front Door Premium + Application Gateway WAF v2 × number of regions) reaches several hundred thousand yen per month, but you get enterprise-grade reliability and security. A simpler variant — Front Door alone, delivering directly to AKS / App Service — is also viable, with Application Gateway omitted entirely.
How do Traffic Manager and Azure CDN fit in?
Azure has four traffic-control services: 1) Front Door (global L7 + CDN + WAF, HTTP/HTTPS only); 2) Application Gateway (regional L7 + WAF, HTTP/HTTPS only); 3) Traffic Manager (global DNS-based routing, protocol-agnostic across L4/L7); 4) Azure CDN (pure content-delivery CDN — a subset of Front Door's features). Since Front Door's launch, standalone use cases for Azure CDN and Traffic Manager have shrunk. Traffic Manager still earns its keep when you need DNS-level failover (e.g., multi-cloud failover between Azure and AWS), while Azure CDN survives only in legacy scenarios. The industry trend is clear: pick Front Door for new projects.
Which related certification exams cover these services?
AZ-700 (Network Engineer Associate) covers Application Gateway and Front Door in depth — routing rules, WAF, SSL configuration, and selection decisions are all frequent topics. AZ-104 (Administrator) covers the basics in Domain 4. AZ-305 (Solutions Architect Expert) asks for the architect-level decision of which to use when. SC-100 / SC-500 (Cybersecurity Architect / Security Engineer) cover WAF design and DDoS countermeasures. In practice, every public-facing Azure web project ends up using one (or both) of these as a core service, so deep familiarity is essential for any Azure network engineer.
Related articles and technical deep dives
Azure Front Door 詳細機能|Rules Engine・Caching・Private Link・Bot Manager・Custom Domain【2026 年版】
Azure Front Door の詳細機能を完全解説。Rules Engine (条件付きアクション)・Custom Domain と SSL 証明書管理・Origin Group と Health Probe・Caching (CDN 機能)・Private Link Integration・WAF Premium と Bot Manager・Authentication Context 連携・関連認定試験 (AZ-700 / AZ-305 / SC-100) を日本語で網羅。
Azure Firewall 完全ガイド|Basic/Standard/Premium 選定・Rule 設計・Firewall Manager【2026 年版】
Azure Firewall の完全ガイド。Basic/Standard/Premium SKU 選定、Application Rule と Network Rule の使い分け、DNAT Rule、Firewall Manager と Firewall Policy、FQDN タグ、Forced Tunneling、NSG との使い分け、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Azure VPN Gateway 完全ガイド|SKU 選定・Site-to-Site/Point-to-Site・BGP・Active-Active【2026 年版】
Azure VPN Gateway の完全ガイド。SKU 選定 (VpnGw1-5)・Site-to-Site / Point-to-Site / VNet-to-VNet・BGP 動的ルーティング・Active-Active 高可用構成・Zone Redundant SKU・IKE Policy 強化・運用ベストプラクティス・関連認定試験 (AZ-700 / AZ-305) を日本語で網羅。
Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】
Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。
The technical information in this article is based on the Azure Application Gateway Documentation and Azure Front Door Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship relationship with Microsoft. Microsoft and Azure are trademarks of the Microsoft group of companies. The information reflects publicly available official material as of May 24, 2026. Always check the official documentation for the latest updates.
Practice with certification-focused question sets
Browse Azure exam prepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...