Endpoints in Azure Front Door
In Azure Front Door, an endpoint is a logical grouping of one or more routes associated with domain names. Each endpoint is assigned a domain name by Front Door, and you can also associate your own custom domains using routes.
How many endpoints should I create?
A Front Door profile can contain multiple endpoints, but in many cases, a single endpoint might suffice.
Consider the following factors when planning your endpoints:
- If all your domains use the same or similar route paths, it's likely best to combine them into a single endpoint.
- If you use different routes and route paths for each domain, consider creating separate endpoints, such as one for each custom domain.
- If you need to enable or disable all your domains together, consider using a single endpoint, as an entire endpoint can be enabled or disabled at once.
Endpoint domain names
Endpoint domain names are automatically generated when you create a new endpoint. Front Door generates a unique domain name based on several components, including:
- The endpoint's name.
- A pseudorandom hash value determined by Front Door, which helps protect against subdomain takeover attacks.
- The base domain name for your Front Door environment, generally
z01.azurefd.net.
For example, if you create an endpoint named myendpoint, the endpoint domain name might be myendpoint-mdjf2jfgjf82mnzx.z01.azurefd.net.
The endpoint domain is accessible when you associate it with a route.
Reuse of an endpoint domain name
When you delete and redeploy an endpoint, you might expect to get the same pseudorandom hash value and, therefore, the same endpoint domain name. Front Door allows you to control how these pseudorandom hash values are reused on an endpoint-by-endpoint basis.
An endpoint's domain can be reused within the same tenant, subscription, or resource group scope level. You can also choose to not allow the reuse of an endpoint domain. By default, Front Door allows reuse of the endpoint domain within the same Microsoft Entra tenant.
You can configure the scope level of the endpoint's domain reuse behavior using Bicep, an Azure Resource Manager (ARM) template, the Azure CLI, or Azure PowerShell. Additionally, you can configure it for all Front Door endpoints in your organization using Azure Policy. The Azure portal uses the scope level you define through the command line once it has been changed.
The following table lists the allowable values for the endpoint's domain reuse behavior:
| Value | Description |
|---|---|
TenantReuse |
This is the default value. Endpoints with the same name in the same Microsoft Entra tenant receive the same domain label. |
SubscriptionReuse |
Endpoints with the same name in the same Azure subscription receive the same domain label. |
ResourceGroupReuse |
Endpoints with the same name in the same resource group receive the same domain label. |
NoReuse |
Endpoints always receive a new domain label. |
Note
The reuse behavior cannot be modified for an existing Front Door endpoint. It only applies to newly created endpoints.
The following examples demonstrate how to create a new Front Door endpoint with the reuse scope set to SubscriptionReuse:
Azure CLI
az afd endpoint create \
--resource-group MyResourceGroup \
--profile-name MyProfile \
--endpoint-name myendpoint \
--name-reuse-scope SubscriptionReuse
Azure PowerShell
New-AzFrontDoorCdnEndpoint `
-ResourceGroupName MyResourceGroup `
-ProfileName MyProfile `
-EndpointName myendpoint `
-Location global `
-AutoGeneratedDomainNameLabelScope SubscriptionReuse
Bicep
resource endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2021-06-01' = {
name: endpointName
parent: profile
location: 'global'
properties: {
autoGeneratedDomainNameLabelScope: 'SubscriptionReuse'
}
}
Next steps
- Configure an origin for Azure Front Door.