Microsoft Digital used Azure Front Door to improve the reliability and strength of two internal applications. By using the service, the apps gained automated failover routing, seamless switching, and an uninterrupted user experience on a global scale.

EXPLORE RELATED CONTENT

Due to its global footprint, Microsoft relies heavily on internal applications to safely and securely promote productivity. Keeping these apps and systems current with the latest technology is the mandate of Microsoft Digital Whether developing solutions or identifying ways to leverage existing services, Microsoft Digital is always looking to improve Microsoft's internal tools and processes.

Two recently launched applications, Total Rewards portal in Microsoft Rewards & Compensation and Microsoft Recruit for Microsoft Global Talent Acquisition, received a boost thanks to Microsoft Azure Front Door and Microsoft Digital. With a global user base across all regions, both apps needed an easy way to manage load balancing. As traffic increased to the apps, Microsoft Digital wanted to ensure that user access was never interrupted. Microsoft Azure Front Door gives the apps a simple way to configure an instant global presence, improve the user experience, strengthen reliability, boost defenses, and introduce scalability, all without a single line of custom coding.

Identifying opportunities for the apps that keep Microsoft connected

Microsoft Recruit, a human resources app for scheduling interviews and recording feedback on candidates, helps the Microsoft Global Talent Acquisition organization hire the best talent. Developed with the latest Microsoft Azure technologies to address various scaling needs, Microsoft Recruit serves over 900 recruiters and processes close to 19,000 candidates annually. Due to the sensitive nature of our hiring process and the importance we put on an outstanding candidate experience, it's critical that Microsoft Recruit's availability is never compromised.

The Microsoft Rewards & Compensation team builds multiple tools to support rewards and awards across the company. With their latest launch, the Total Rewards portal, the team needed a way to ensure availability and to securely display user data. The Total Rewards portal communicates the total compensation of cash, stock, and benefits to employees, but it's also used to share a snapshot of other rewards, like annual rewards or special stock awards. All 150,000-plus Microsoft employees use this application. Because compensation data is both highly personal and highly confidential, the Rewards & Compensation team needed reliability and security.

The Total Rewards portal requires both a production and a recovery environment. Previous rewards apps relied on manual porting, which in turn depended on engineer involvement, compounding the difficulty of keeping a global service online. Microsoft Digital wanted an automated way to route user traffic in case of disaster, but didn't want to write custom code.

Both Microsoft Recruit and Total Rewards needed an easy and scalable way to manage traffic and API calls across multiple instances globally. However, neither wanted to engineer a new solution until all options had been exhausted. What they required was a gateway to route backend points, a solution where API points could automatically and instantly take on global failover without disruption to front-end applications. They also needed a way to leverage Microsoft domains and encapsulate service URLs, set up routing rules, reduce latency, and create a simpler way to manage certificates and HTTPS binding.

These needs led both Microsoft Digital teams to Microsoft Azure Front Door.

Why Microsoft Azure Front Door?

Microsoft Digital recognized major benefits in using Microsoft Azure Front Door.

The application defines, manages, and monitors global routing for web traffic by optimizing for best performance and by offering instant global failover for high availability. It was the multi-region solution both teams needed to transform their global applications into high-performing and reliable services.

Microsoft Azure Front Door allowed both apps to boost their global presence right out of the box. Because it scales, Microsoft Azure Front Door enables multiple instances of an API to reliably run in multiple regions without adding extra work or resources. With just a few clicks, Microsoft Digital could quickly onboard APIs into Microsoft Azure Front Door. If one of the APIs goes down for any reason, Microsoft Azure Front Door will detect the outage and seamlessly balance the load across healthy endpoints. It also automates load balancing, helping to distribute traffic as the volume of global users increases.

For both apps, completing setup only took minutes or hours, all without custom code. In addition to making the services resilient to failures, there were other benefits to the service.

For Microsoft Recruit, three primary features addressed their needs:

  • Certificate management for HTTPS binding: This feature allowed for quick onboarding.
  • Multiple endpoint configurations through backend pools: API switches are both automated and fast.
  • Domain management without downtime: Front-end domains are easily moved and managed without taking down the system.

Microsoft Azure Front Door enabled Microsoft Recruit to setup multiple back-end pools and routing rules with custom domain support. These capabilities ensured zero downtime while delivering critical features to Microsoft recruiters, managers, and interviewers.

Not only did Microsoft Azure Front Door's automatic instant failover immediately resolve manual disaster recovery challenges for Microsoft's Rewards & Compensation application, but it also provided other key benefits:

  • Mechanisms to probe service health: Periodic synthetic requests sent to configured backends not only gauge the health of APIs, but also inform routing decisions.
  • Rules to automate traffic thresholds without manual intervention: The team could establish routing rules for multiple micro-services. When paired with monitoring probes, these preconfigured thresholds auto-detect backend failures.
  • Seamless routing of backend traffic in case of failure: If a failure occurs, traffic is automatically routed to a healthy environment instantly. Users are unaware of any service interruptions.
  • Easy HTTPS redirection and faster web-based traffic: Microsoft Azure Front Door works at the application layer. Switching between environments is both faster and easier.
  • URL-based routing: Users can easily create rules for connecting traffic to appropriate backend pools.
  • Custom domain configuration: Users can also easily add and manage custom domains.

In addition to Microsoft Azure Front Door, Microsoft Digital also leveraged Microsoft Azure Web App Firewall for the Total Rewards portal.

Microsoft Azure Web App Firewall provides protection against multiple application layer threats. A separate offering, Microsoft Azure Web App Firewall sits on the same data plane as Microsoft Azure Front Door, making it an easy way to enhance existing security measures. Since Rewards & Compensation tools display user data, the apps need to be safe against SQL injection and other data exfiltration attack vectors. All SQL security standards have already been implemented, but Microsoft Azure Web App Firewall uses OWASP core rules sets to give extra protections against common threats, including DDoS attacks, cross-site scripting, SQL injection, and protocol attackers. Microsoft Azure Web App Firewall also protects microservice APIs from XSS attacks and other exploits.

Microsoft Azure Web App Firewall grants Rewards & Compensation the ability to actively monitor for attacks in real-time, reinforcing peace of mind. This lets Microsoft Digital concentrate on the core business of the Rewards & Compensation application, not on defending against various types of attacks.

Based on the security benefits seen while using Microsoft Azure Web App Firewall in the Rewards & Compensation app, Microsoft Digital is currently looking into using the firewall for Microsoft Recruit.

Easy to use and highly reliable

Microsoft Azure Front Door gave the apps reliability, security, and performance, all on a global scale.

While it's possible to build a global footprint for an application, Microsoft Azure Front Door already integrates this scale and functionality into the service. For both apps discussed in this article, ease of use made for immediate success, especially when contrasted with the time and effort required to engineer a new solution. Clear and comprehensive documentation meant Microsoft Digital could set up Microsoft Azure Front Door to fulfill needs with speed and certainty. Onboarding was intuitive, and users could easily establish routing rules and policies.

As an application makes calls to back-end pools,  Azure Front Door's geo-replication creates seamless and automated failover environments.

Figure 1. Microsoft Azure Front Door allows apps to run in multiple regions. This architecture gave the Total Rewards portal and Microsoft Recruit the high reliability they were looking for.

 

Total Rewards and Microsoft Recruit users have benefited from instant failover routing, which has improved reliability and created a disruption-free experience. Optimization within the service has resulted in increased HTTP performance. Inherent protections provided by Microsoft Azure Web App Firewall against varied application layer attacks has kept the tools online and healthy.

Microsoft Recruit now has the scalable gateway needed to balance traffic across regions. The app uses automatic HTTPS redirects with self-maintained certificates from Microsoft Azure Front Door. Additionally, the service manages the domains and backend pools used by the tool.

Rewards & Compensation was able to quickly connect its wide array of APIs and front-end apps without a single line of custom code. The app's built-in smart probes and its re-routing capability has eliminated its reliance on manually porting to disaster recovery environments.

Important takeaways from implementing Microsoft Azure Front Door

Setup of Microsoft Azure Front Door is a straightforward way of gaining a global footprint, but Microsoft Digital recommends familiarizing yourself with the documentation before jumping in. Once familiar, create a plan for a front-end domain, backend pools, and how routing rules need to be calibrated. Have a blueprint in place before loading everything into Microsoft Azure Portal. With good planning, Microsoft Azure Front Door will only take a fraction of the time it takes to implement a typical content delivery solution.

Since Microsoft Azure Front Door has many edge environments globally, you should adjust its backend health probe frequency as needed. Health probe request volumes to your backend can be quite high-ranging from 25 requests every minute to a maximum of 1,200 requests per minute, depending on your configuration. Microsoft Azure Front Door lets you adjust the interval of requests, allowing you to control probe frequency. Additionally, you can adjust the sample size and success samples required to fit your health benchmarking needs.

As with other Microsoft Azure Front Door documentation, the steps for HTTP to HTTPS redirection are comprehensive and easy to follow. You can find the tutorial for configuring Front Door with HTTP to HTTPS redirection online. Use it to help you set up rules for redirecting and forwarding requests.

Ensure that only Microsoft Azure Front Door edges can communicate with your web application. Locking down the backend web applications to Microsoft Azure Front Door prevents anyone from bypassing Microsoft Azure Web App Firewall protections and accessing the app directly.

What's next for Microsoft Recruit and Rewards & Compensation?

Microsoft Digital isn't done leveraging all of the benefits of Microsoft Azure Front Door. Microsoft Recruit wants to look at how rule configurations could further enhance their app. Similar to setting policies within Azure's API manager, Microsoft Azure Front Door can establish rules for automatic redirects. Microsoft Recruit has global traffic, and being able to establish threshold policies for automatic redirects during high-traffic sessions will be critical for delivering optimal app performance and a strong user experience.

Rewards & Compensation is interested in Microsoft Azure Front Door's caching features. By using storage-based blobs to store micro UI files, Microsoft Digital will be able to eliminate the dependency on a content delivery solution, moving the UI nearer to the user and domain. In removing the content delivery network and its distributed servers from the equation, data no longer needs to be copied and cached across the entire delivery network, enhancing the experience for users.

The company continues to add new features to Microsoft Azure Front Door and Microsoft Web App Firewall, including new Bot Manager capabilities, increased flexibility with the Rules Engine, and new Microsoft Digital workloads, including static heavy ones. In addition to the services already offered, these new developments will continue to have major impacts as the company incorporates Microsoft Azure Front Door into our other applications.

Microsoft Azure Front Door Services gave both apps the reliable, scalable solution needed for a global footprint without having to build a solution or write custom code. Using an existing service allowed both apps to resolve availability needs and access additional benefits without committing resources to developing a new solution. Being able to onboard in a matter of days meant Microsoft Digital saw immediate outcomes, including improved performance across all regions. But bigger than all of that, internal and external users who rely on these apps for key communications are now experiencing these applications without disruption.


You might also be interested in

Microsoft uses a scream test to silence its unused servers
October 20, 2021

Microsoft uses a scream test to silence its unused servers

Read blog
Reimagining Microsoft’s real estate and facilities transformation from the inside out
October 14, 2021

Reimagining Microsoft’s real estate and facilities transformation from the inside out

Watch video
Boosting Microsoft’s response to cybersecurity attacks with Microsoft Azure Sentinel
October 12, 2021

Boosting Microsoft’s response to cybersecurity attacks with Microsoft Azure Sentinel

Read blog
Moving to next-generation SIEM with Azure Sentinel
October 06, 2021

Moving to next-generation SIEM with Azure Sentinel

Read case study