---
title: "Deploying Web Access with Azure Front Door"
slug: "deploying-web-access-with-azure-front-door"
updated: 2025-12-12T18:13:36Z
published: 2025-12-12T18:13:36Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nasuni.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploying Web Access with Azure Front Door

This guide is intended for IT infrastructure architects and DevOps professionals responsible for deploying or enabling Web Access in the Azure public cloud.

This guide applies to Nasuni Edge Appliance 10.1 and higher.

## Introduction

Azure Front Door is a cloud-based content delivery network (CDN) service that improves download performance and optimizes traffic over high-bandwidth connections.

The simplest way to set up Front Door is to expose the Edge Appliance to the internet through a public IP address that allows access only from Front Door. This guide focuses on that configuration and does not cover setups using Azure Private Links.

## Prerequisites

- The account setting “Restrict Session IP” must be set to False by Nasuni Support.
- An Edge Appliance must be deployed to Azure and joined to the NMC.
- A public Fully Qualified Domain Name (FQDN) for your instance and corresponding SSL/TLS server certificate.
- Access to DNS to set up the FQDN.

## Account Configuration

By default, Web Access restricts sessions to a single IP address. Because requests routed through Front Door might originate from different IP addresses, this restriction must be disabled.

To have Restrict Session IP disabled for Web Access, contact Nasuni Support. For more information, see [Web Access - Deployment Architecture and Sizing](/v1/docs/web-access-architecture-and-sizing).

## Restricting the Public IP

To allow only HTTPS access via the Azure Front Door servers, follow these steps:

1. Log in to [Azure](https://portal.azure.com).
2. Navigate to **Virtual Machines**and select the Edge Appliance instance.
3. Expand the **Networking** category and select **Network Settings**. A public IP address displays in the right-hand panel. If an IP is not configured, follow these steps:
  1. Click the **Configure** link, the NIC network settings load.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-AVSWUJVJ.png)
  2. Click **ipconfig1**to load the **Edit IP configuration** window.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-XNXFC1IV.png)
  3. Check the **Associate public IP address**checkbox. A dropdown box appears, populated with a new public IP address. Alternatively, create a new public IP address by clicking **Create a public IP address,**followed by**Save.**

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-V51HITLC.png)
  4. Navigate to the **Networking** category and click **Network settings**to refresh the page. The new IP address is displayed.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-64EQ9TXC.png)
4. Scroll down to **Rules** and click **HTTPS**. An **HTTPS** window opens on the right side.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-UU5T3XT9.png)
5. Using the **Source** drop-down, select **Service Tag**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-KJDED70R.png)
6. Using the **Source service tag** drop-down, select **AzureFrontDoor.Backend**.
7. Enter “*” in the **Source port ranges** field.
8. Using the **Destination** drop-down, select **Any**.
9. Set the **Service** field to **HTTPS**.
10. Click **Save**.

## Adding a Valid Certificate to the Edge Appliance

Azure Front Door requires a properly signed certificate on the origin (Edge Appliance).

To add the certificate to an Edge Appliance, log in to the Edge Appliance on port 8443 and navigate to **Configuration → SSL Certificates**. A certificate can be generated by clicking **Generate Certificate** or uploaded by clicking **Upload Certificate**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-1F2IYR24.png)

## Adding an Azure Front Door

To add a Front Door, follow these steps:

1. Log in to [Azure](https://portal.azure.com/).
2. Navigate to the search bar and enter “front door”. Services are displayed in the search result. Select **Front Door**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-N2WI9LPS.png)
3. Click **Create front door**.
4. Click **Quick create**.
5. Enter the following Front Door profile attributes:

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-0DYVNIFA.png)
  1. **Subscription:**Use this drop-down to select your subscription.
  2. **Resource group:**Use this drop-down to choose a resource group.
  3. **Name:** Enter a name.
  4. **Tier**: Click **Standard**.
  5. **Endpoint name:**Generates a DNS record for all of the IPs.
  6. **Origin type:**Public IP address.
  7. **Origin host name:**Use this drop-down to pick the hostname IP address.
  8. **Caching**: Leave blank.
  9. **WAF Policy**: Leave blank.
6. Click **Review + create**.
7. Review the profile for accuracy, and click **Create**.
8. Click **Go to resource** and proceed to the [Editing the Front Door](/v1/docs/deploying-web-access-with-azure-front-door#editing-the-front-door) section.

## Editing the Front Door

After provisioning an Azure Front Door, use the following sections to complete the setup.

### Origins

To update the origin group, follow these steps:

1. From the left-hand menu, expand **Settings**, and click **Origin groups**.
2. Click **default-origin-group**. An **Update origin group** panel opens on the right side.
3. Uncheck the **Enable session affinity** checkbox.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-VAUJN86Q.png)
4. (Optional) To enable health probes, click **Enable health probes**and enter the following configuration into the provided fields:
  1. **Path**: /fs/auth/login
  2. **Protocol**: HTTPS
  3. **Probe Method**: Get
  4. **Interval (in seconds)**: 100
5. Navigate to the **Origin host name**, and click the “**…**”, followed by **edit**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-0TZQJYBP.png)
6. Using the **Update origin**panel, uncheck the **Enable the validation** checkbox. The rest of the fields remain unchanged.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-1ECY4RRN.png)
7. Click **Apply**.
8. Click **Update**.

> ***Note****: It might take a few minutes for the origin to update.*

### Rule Sets

After configuring the origin, create a rule set.

To create a rule set, follow these steps:

1. Navigate to the left-side menu, expand the **Settings**category, and click **Rule sets**.
2. Click **+Add**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-0C8HPQ9Q.png)
3. Enter a **Rule set name**.
4. Click **Add a condition**.
5. Use the **Operator** drop-down to select **Equal**.
6. Click the **Edit** in the **Values** field and use the right-side panel to enter “/”

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-5106EKE4.png)
7. At the bottom of the **Edit**panel, click **Update**.
8. Click **Add an action**.
9. Use the **Redirect type** drop-down to select **Temporary redirect**.
10. Use the **Redirect protocol** drop-down to select **HTTPS**.
11. In the **Destination path** field, enter “/fs”.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-9R5D6SZA.png)
12. Click **Save**.

### Routes

After configuring the rule set, you must configure the routes.

To configure the Front Door routes, follow these steps:

1. Navigate to the left-side menu, expand the **Settings**category, and click **Front door manager**.
2. Click **Default route**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-I9GEZB1C.png)
3. Navigate to **Redirect** and check the **Redirect all traffic to use HTTPS**checkbox.
4. Next to **Forwarding protocol**, click the **HTTPS only** radio button.
5. Click the **Rule set** drop-down, and select the rule set created in the [previous step](/v1/docs/deploying-web-access-with-azure-front-door#rule-sets).

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-YV973PRY.png)
6. Click **Update**.

## Testing

After completing the Azure Front Door configuration, follow these steps to confirm a proper setup:

1. Navigate to the left-side menu, and click **Overview**.
2. Copy the **Endpoint hostname** by clicking ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-C3AUAOGR.png).
3. Paste the endpoint hostname into a browser and confirm that the Web Access page is displayed.

> ***Note****: If the redirect rule is not set up or working, append “/fs” to the URL.*

## FQDN Setup

To use a custom FQDN for a Web Access instance, create a CNAME record in the customer’s DNS that points to the endpoint hostname obtained in the previous step. After the FQDN is registered in DNS, configure the domain.

To set up the FQDN, follow these steps:

1. Log in to [portal.azure.com](http://portal.azure.com).
2. Navigate to **Virtual Machines**and select the Edge Appliance instance.
3. Expand the **Settings**category and select **Domains**.
4. Click **+Add**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-6BOK5HP2.png)
5. Choose a **Domain type**.
  1. **Non-Azure validated domain**: Validates the domain with a non-Azure service.
  2. **Azure pre-validated domain:**Use Azure to pre-validate the domain.
6. Choose your method of **DNS Management**.
  1. **Azure managed DNS**: Manage the DNS with Azure.
  2. **All other DNS services:**Use a service that is not Azure.
7. Use the **Custom domain**field to enter your custom domain. For example, [www.yourdomain.com.](/docs/www.yourdomain.com.)
8. Choose a **Certificate type.**
  1. Select **AFD managed (Recommended)**to have Azure create your own certificate.

> ***Note****: You must create a CNAME record or a TXT record (if DNS validation is used) in your DNS host that points to the Front Door endpoint*.
  2. Select **Bring your own certificate** to upload your own certificate.
9. Use the **TLS policy**drop-down to select the latest policy.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-RJS0VEH7.png)
10. Click **Add**.
11. Under the **Validation state**column, click **Pending**.
  1. The **Validate custom domain ownership**panel displays on the right side with instructions on verifying ownership of the domain.
12. Under the **Settings** category, click **Front Door Manager**.
13. Click the **default-route**.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-73QSTYCW.png)
14. Click the **Domains** drop-down, and select the additional domain.

![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/image-USX59SZT.png)
15. Click **Update**.

For more information, see Azure documentation at [Domains in Azure Front Door](https://learn.microsoft.com/en-us/azure/frontdoor/domain).