Introduction

Azure Front Door sends periodic health probes to backend pools to determine which backends are available. When health probes fail, Front Door marks the backend as unhealthy and stops routing traffic to it, potentially causing service disruption if all backends become unhealthy.

Symptoms

  • Front Door console shows backend health as "Unhealthy"
  • All traffic routed to secondary/fallback backend
  • HTTP 503 responses from Front Door when all backends are unhealthy
  • Backend server logs show Front Door probe requests returning errors

Common Causes

  • Health probe path (e.g., /health) doesn't exist on the backend
  • Backend requires authentication but probe sends no credentials
  • Probe interval and timeout too aggressive for slow backend response
  • Backend firewall blocks Front Door probe IP ranges
  • HTTPS probe with self-signed certificate or certificate mismatch

Step-by-Step Fix

  1. 1.Check backend health status:
  2. 2.```bash
  3. 3.az network front-door backend-pool show \
  4. 4.--name my-fd \
  5. 5.--resource-group my-rg \
  6. 6.--pool-name my-pool \
  7. 7.--query 'backendPools[0].backends[].{Address:address,EnabledState:enabledState,HttpPort:httpPort,HttpsPort:httpsPort,Priority:priority,Weight:weight}'
  8. 8.`
  9. 9.Verify health probe configuration:
  10. 10.```bash
  11. 11.az network front-door health-probe-settings show \
  12. 12.--name my-fd \
  13. 13.--resource-group my-rg \
  14. 14.--probe-name my-probe
  15. 15.`
  16. 16.Check path, intervalInSeconds, and protocol.
  17. 17.Test probe path directly:
  18. 18.```bash
  19. 19.curl -v https://backend.example.com/health
  20. 20.`
  21. 21.Ensure the backend returns HTTP 200 on the probe path.
  22. 22.Allow Front Door probe IPs in backend firewall:
  23. 23.Front Door probes come from the AzureFrontDoor.Backend service tag. Allow this in your NSG or firewall rules.
  24. 24.Update health probe settings:
  25. 25.```bash
  26. 26.az network front-door health-probe-settings update \
  27. 27.--name my-fd \
  28. 28.--resource-group my-rg \
  29. 29.--probe-name my-probe \
  30. 30.--path /api/health \
  31. 31.--interval 30 \
  32. 32.--protocol Https
  33. 33.`

Prevention

  • Use dedicated health check endpoints that return quickly
  • Set probe interval to 30 seconds with timeout of 10 seconds
  • Ensure backend returns HTTP 200 for the probe path
  • Monitor backend health with Azure Monitor alerts
  • Use custom probe headers to identify Front Door probe traffic