subcategory | layout | page_title | description |
---|---|---|---|
Network |
azurerm |
Azure Resource Manager: azurerm_frontdoor |
Manages an Azure Front Door instance. |
Manages an Azure Front Door instance.
Azure Front Door Service is Microsoft's highly available and scalable web application acceleration platform and global HTTP(s) load balancer. It provides built-in DDoS protection and application layer security and caching. Front Door enables you to build applications that maximize and automate high-availability and performance for your end-users. Use Front Door with Azure services including Web/Mobile Apps, Cloud Services and Virtual Machines – or combine it with on-premises services for hybrid deployments and smooth cloud migration.
Below are some of the key scenarios that Azure Front Door Service addresses:
- Use Front Door to improve application scale and availability with instant multi-region failover
- Use Front Door to improve application performance with SSL offload and routing requests to the fastest available application backend.
- Use Front Door for application layer security and DDoS protection for your application.
resource "azurerm_resource_group" "example" {
name = "FrontDoorExampleResourceGroup"
location = "EastUS2"
}
resource "azurerm_frontdoor" "example" {
name = "example-FrontDoor"
resource_group_name = azurerm_resource_group.example.name
enforce_backend_pools_certificate_name_check = false
routing_rule {
name = "exampleRoutingRule1"
accepted_protocols = ["Http", "Https"]
patterns_to_match = ["/*"]
frontend_endpoints = ["exampleFrontendEndpoint1"]
forwarding_configuration {
forwarding_protocol = "MatchRequest"
backend_pool_name = "exampleBackendBing"
}
}
backend_pool_load_balancing {
name = "exampleLoadBalancingSettings1"
}
backend_pool_health_probe {
name = "exampleHealthProbeSetting1"
}
backend_pool {
name = "exampleBackendBing"
backend {
host_header = "www.bing.com"
address = "www.bing.com"
http_port = 80
https_port = 443
}
load_balancing_name = "exampleLoadBalancingSettings1"
health_probe_name = "exampleHealthProbeSetting1"
}
frontend_endpoint {
name = "exampleFrontendEndpoint1"
host_name = "example-FrontDoor.azurefd.net"
custom_https_provisioning_enabled = false
}
}
The following arguments are supported:
-
name
- (Required) Specifies the name of the Front Door service. Changing this forces a new resource to be created. -
resource_group_name
- (Required) Specifies the name of the Resource Group in which the Front Door service should exist. Changing this forces a new resource to be created. -
backend_pool
- (Required) Abackend_pool
block as defined below. -
backend_pool_health_probe
- (Required) Abackend_pool_health_probe
block as defined below. -
backend_pool_load_balancing
- (Required) Abackend_pool_load_balancing
block as defined below. -
backend_pools_send_receive_timeout_seconds
- (Optional) Specifies the send and receive timeout on forwarding request to the backend. When the timeout is reached, the request fails and returns. Possible values are between0
-240
. Defaults to60
. -
enforce_backend_pools_certificate_name_check
- (Required) Enforce certificate name check onHTTPS
requests to all backend pools, this setting will have no effect onHTTP
requests. Permitted values aretrue
orfalse
.
-> NOTE: backend_pools_send_receive_timeout_seconds
and enforce_backend_pools_certificate_name_check
apply to all backend pools.
-
load_balancer_enabled
- (Optional) Should the Front Door Load Balancer be Enabled? Defaults totrue
. -
friendly_name
- (Optional) A friendly name for the Front Door service. -
frontend_endpoint
- (Required) Afrontend_endpoint
block as defined below. -
routing_rule
- (Required) Arouting_rule
block as defined below. -
tags
- (Optional) A mapping of tags to assign to the resource.
The backend_pool
block supports the following:
-
name
- (Required) Specifies the name of the Backend Pool. -
backend
- (Required) Abackend
block as defined below. -
load_balancing_name
- (Required) Specifies the name of thebackend_pool_load_balancing
block within this resource to use for thisBackend Pool
. -
health_probe_name
- (Required) Specifies the name of thebackend_pool_health_probe
block whithin this resource to use for thisBackend Pool
.
The backend
block supports the following:
-
enabled
- (Optional) Specifies if the backend is enabled or not. Valid options aretrue
orfalse
. Defaults totrue
. -
address
- (Required) Location of the backend (IP address or FQDN) -
host_header
- (Required) The value to use as the host header sent to the backend. -
http_port
- (Required) The HTTP TCP port number. Possible values are between1
-65535
. -
https_port
- (Required) The HTTPS TCP port number. Possible values are between1
-65535
. -
priority
- (Optional) Priority to use for load balancing. Higher priorities will not be used for load balancing if any lower priority backend is healthy. Defaults to1
. -
weight
- (Optional) Weight of this endpoint for load balancing purposes. Defaults to50
.
The frontend_endpoint
block supports the following:
-
name
- (Required) Specifies the name of thefrontend_endpoint
. -
host_name
- (Required) Specifies the host name of thefrontend_endpoint
. Must be a domain name. -
session_affinity_enabled
- (Optional) Whether to allow session affinity on this host. Valid options aretrue
orfalse
Defaults tofalse
. -
session_affinity_ttl_seconds
- (Optional) The TTL to use in seconds for session affinity, if applicable. Defaults to0
. -
custom_https_provisioning_enabled
- (Required) Should the HTTPS protocol be enabled for a custom domain associated with the Front Door? -
custom_https_configuration
- (Optional) Acustom_https_configuration
block as defined below.
-> NOTE: This block is required when custom_https_provisioning_enabled
is set to true
.
web_application_firewall_policy_link_id
- (Optional) Defines the Web Application Firewall policyID
for each host.
The backend_pool_health_probe
block supports the following:
-
name
- (Required) Specifies the name of the Health Probe. -
enabled
- (Optional) Is this health probe enabled? Dafaults totrue
. -
path
- (Optional) The path to use for the Health Probe. Default is/
. -
protocol
- (Optional) Protocol scheme to use for the Health Probe. Defaults toHttp
. -
probe_method
- (Optional) Specifies HTTP method the health probe uses when querying the backend pool instances. Possible values include:Get
andHead
. Defaults toGet
.
-> NOTE: Use the Head
method if you do not need to check the response body of your health probe.
interval_in_seconds
- (Optional) The number of seconds between each Health Probe. Defaults to120
.
The backend_pool_load_balancing
block supports the following:
-
name
- (Required) Specifies the name of the Load Balancer. -
sample_size
- (Optional) The number of samples to consider for load balancing decisions. Defaults to4
. -
successful_samples_required
- (Optional) The number of samples within the sample period that must succeed. Defaults to2
. -
additional_latency_milliseconds
- (Optional) The additional latency in milliseconds for probes to fall into the lowest latency bucket. Defaults to0
.
The routing_rule
block supports the following:
-
name
- (Required) Specifies the name of the Routing Rule. -
frontend_endpoints
- (Required) The names of thefrontend_endpoint
blocks whithin this resource to associate with thisrouting_rule
. -
accepted_protocols
- (Optional) Protocol schemes to match for the Backend Routing Rule. Defaults toHttp
. -
patterns_to_match
- (Optional) The route patterns for the Backend Routing Rule. Defaults to/*
. -
enabled
- (Optional)Enable
orDisable
use of this Backend Routing Rule. Permitted values aretrue
orfalse
. Defaults totrue
. -
forwarding_configuration
- (Optional) Aforwarding_configuration
block as defined below. -
redirect_configuration
- (Optional) Aredirect_configuration
block as defined below.
The forwarding_configuration
block supports the following:
-
backend_pool_name
- (Required) Specifies the name of the Backend Pool to forward the incoming traffic to. -
cache_enabled
- (Optional) Specifies whether to Enable caching or not. Valid options aretrue
orfalse
. Defaults tofalse
. -
cache_use_dynamic_compression
- (Optional) Whether to use dynamic compression when caching. Valid options aretrue
orfalse
. Defaults tofalse
. -
cache_query_parameter_strip_directive
- (Optional) Defines cache behavior in releation to query string parameters. Valid options areStripAll
orStripNone
. Defaults toStripAll
. -
custom_forwarding_path
- (Optional) Path to use when constructing the request to forward to the backend. This functions as a URL Rewrite. Default behavior preserves the URL path. -
forwarding_protocol
- (Optional) Protocol to use when redirecting. Valid options areHttpOnly
,HttpsOnly
, orMatchRequest
. Defaults toHttpsOnly
.
The redirect_configuration
block supports the following:
-
custom_host
- (Optional) Set this to change the URL for the redirection. -
redirect_protocol
- (Optional) Protocol to use when redirecting. Valid options areHttpOnly
,HttpsOnly
, orMatchRequest
. Defaults toMatchRequest
-
redirect_type
- (Optional) Status code for the redirect. Valida options areMoved
,Found
,TemporaryRedirect
,PermanentRedirect
. Defaults toFound
-
custom_fragment
- (Optional) The destination fragment in the portion of URL after '#'. Set this to add a fragment to the redirect URL. -
custom_path
- (Optional) The path to retain as per the incoming request, or update in the URL for the redirection. -
custom_query_string
- (Optional) Replace any existing query string from the incoming request URL.
The custom_https_configuration
block supports the following:
certificate_source
- (Optional) Certificate source to encryptedHTTPS
traffic with. Allowed values areFrontDoor
orAzureKeyVault
. Defaults toFrontDoor
.
The following attributes are only valid if certificate_source
is set to AzureKeyVault
:
-
azure_key_vault_certificate_vault_id
- (Required) The ID of the Key Vault containing the SSL certificate. -
azure_key_vault_certificate_secret_name
- (Required) The name of the Key Vault secret representing the full certificate PFX. -
azure_key_vault_certificate_secret_version
- (Required) The version of the Key Vault secret representing the full certificate PFX.
~> Note: In order to enable the use of your own custom HTTPS certificate
you must grant Azure Front Door Service
access to your key vault. For instuctions on how to configure your Key Vault
correctly please refer to the product documentation.
backend_pool
exports the following:
id
- The Resource ID of the Azure Front Door Backend Pool.
backend
exports the following:
id
- The Resource ID of the Azure Front Door Backend.
frontend_endpoint
exports the following:
-
id
- The Resource ID of the Azure Front Door Frontend Endpoint. -
provisioning_state
- Provisioning state of the Front Door. -
provisioning_substate
- Provisioning substate of the Front Door
backend_pool_health_probe
exports the following:
id
- The Resource ID of the Azure Front Door Backend Health Probe.
backend_pool_load_balancing
exports the following:
id
- The Resource ID of the Azure Front Door Backend Load Balancer.
routing_rule
exports the following:
id
- The Resource ID of the Azure Front Door Backend Routing Rule.
custom_https_configuration
exports the following:
minimum_tls_version
- Minimum client TLS version supported.
The following attributes are exported:
-
cname
- The host that each frontendEndpoint must CNAME to. -
header_frontdoor_id
- The unique ID of the Front Door which is embedded into the incoming headersX-Azure-FDID
attribute and maybe used to filter traffic sent by the Front Door to your backend. -
id
- The ID of the FrontDoor.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 6 hours) Used when creating the FrontDoor.update
- (Defaults to 6 hours) Used when updating the FrontDoor.read
- (Defaults to 6 hours) Used when retrieving the FrontDoor.delete
- (Defaults to 6 hours) Used when deleting the FrontDoor.
Front Doors can be imported using the resource id
, e.g.
terraform import azurerm_frontdoor.example /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/mygroup1/providers/Microsoft.Network/frontdoors/frontdoor1