Introduction

Azure Front Door relies on periodic health probes to decide whether an origin should receive live traffic. When those probes fail, Front Door starts draining or bypassing the origin, which can make a healthy-looking app appear unavailable from the public edge. Most probe failures come from host header mismatches, blocked origin access, TLS certificate problems, or probe paths that are not safe for automated checks.

Symptoms

  • Front Door marks one or more origins as unhealthy in the origin group.
  • Requests intermittently fail, route to the wrong region, or return 502/503 errors.
  • The application works from direct origin URLs but fails through Front Door.
  • Backend logs show requests with unexpected host headers or missing expected headers.
  • TLS handshake or certificate validation errors appear when Front Door checks the origin.

Common Causes

  • The configured probe path returns redirects, authorization errors, or application failures.
  • The origin expects a different host header than the one Front Door sends.
  • The backend TLS certificate does not match the hostname used for origin validation.
  • Web application firewall, NSG, IP restrictions, or application middleware block Front Door probe traffic.
  • The origin group protocol or port does not match the service actually exposed by the backend.
  • The probe path depends on downstream services that are degraded, making the origin appear down even when the web tier is reachable.

Step-by-Step Fix

  1. Review the Front Door origin group health probe settings. Record the protocol, port, path, interval, method, and any origin host header overrides.
  2. Test the exact probe URL directly against the origin. Confirm it returns a fast success response and does not redirect to login, rely on cookies, or require client context.
  3. Verify the origin host header configuration. If the backend app or reverse proxy routes by host name, make sure Front Door sends the hostname the origin expects.
  4. Check TLS validation. The certificate presented by the origin must be valid for the hostname Front Door uses, and the full certificate chain must be installed correctly.
  5. Inspect origin-side access controls. Allow Front Door traffic through NSGs, firewall rules, app access restrictions, and any reverse proxy allowlists.
  6. Simplify the probe endpoint if needed. Use a lightweight health route that confirms the web tier is ready instead of a page that depends on slow databases, external APIs, or user authentication.
  7. Validate protocol and port alignment. If the origin only serves HTTPS on 443, do not probe HTTP on 80 unless that route is intentionally supported.
  8. Watch backend logs while probes run. Match timestamps to identify whether the requests arrive, how they are handled, and what response code is returned.
  9. After updating the configuration or origin behavior, wait for Front Door to complete several probe cycles and confirm the origin transitions back to healthy.
  10. Re-test traffic through the Front Door endpoint and verify that routing, failover, and response times have normalized.